Merge pull request #166 from internet2/pc_July23

bump IdP to 5.0.0, add phpPgAdmin

Workbench/comanage/Dockerfile

@@ -8,7 +8,7 @@ ENV COMANAGE_REGISTRY_DATABASE=registry
 ENV COMANAGE_REGISTRY_DATABASE_HOST=comanage-data
 ENV COMANAGE_REGISTRY_DATABASE_PORT=5432
 ENV COMANAGE_REGISTRY_DATABASE_USER=registry_user
-ENV COMANAGE_REGISTRY_DATABASE_USER_PASSWORD=123321
+ENV COMANAGE_REGISTRY_DATABASE_USER_PASSWORD=Password1
 ENV COMANAGE_REGISTRY_EMAIL_FROM=noreply@workbench.incommon.org
 ENV COMANAGE_REGISTRY_EMAIL_TRANSPORT=Smtp
 ENV COMANAGE_REGISTRY_EMAIL_PORT=465

Workbench/comanage_cron/Dockerfile

@@ -7,7 +7,7 @@ ENV COMANAGE_REGISTRY_DATASOURCE=Database/Postgres
 ENV COMANAGE_REGISTRY_DATABASE=registry
 ENV COMANAGE_REGISTRY_DATABASE_HOST=comanage-data
 ENV COMANAGE_REGISTRY_DATABASE_USER=registry_user
-ENV COMANAGE_REGISTRY_DATABASE_USER_PASSWORD=123321
+ENV COMANAGE_REGISTRY_DATABASE_USER_PASSWORD=Password1
 ENV COMANAGE_REGISTRY_EMAIL_FROM=xxxx@example.edu
 ENV COMANAGE_REGISTRY_EMAIL_TRANSPORT=Smtp
 ENV COMANAGE_REGISTRY_EMAIL_PORT=25

Workbench/comanage_data/container_files/seed-data/comanage-bootstrap.sql

@@ -6411,7 +6411,7 @@ COPY public.cm_servers (id, co_id, description, server_type, status, created, mo
 --
 
 COPY public.cm_sql_servers (id, server_id, type, hostname, username, password, databas, created, modified) FROM stdin;
-1	1	PG	comanage-midpoint-data	comanage_midpoint_loader	123321	comanage_midpoint_loader	2022-09-23 17:44:37	2022-09-23 17:52:08
+1	1	PG	comanage-midpoint-data	comanage_midpoint_loader	Password1	comanage_midpoint_loader	2022-09-23 17:44:37	2022-09-23 17:52:08
 \.
 
 

Workbench/configs-and-secrets/midpoint/application/database_password.txt

@@ -0,0 +1 @@
+password

Workbench/directory/Dockerfile

@@ -2,12 +2,23 @@ FROM centos:centos7
 
 LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>"
 
-RUN yum install -y epel-release \
+RUN yum install -y epel-release yum-utils \
     && yum update -y \
-    && yum install -y 389-ds-base phpMyAdmin phpldapadmin mod_ssl net-tools \
+    && yum install -y 389-ds-base phpMyAdmin phpldapadmin mod_ssl net-tools wget \
     && yum clean all \
     && rm -rf /var/cache/yum
 
+RUN yum -y install http://rpms.remirepo.net/enterprise/remi-release-7.rpm && yum-config-manager --enable remi-php73
+
+RUN yum -y install php php-common php-opcache php-mcrypt php-cli php-gd php-curl mod_php php-pgsql
+
+#wget https://github.com/phppgadmin/phppgadmin/releases/download/REL_7-13-0/phpPgAdmin-7.13.0.tar.gz
+
+RUN wget https://github.com/phppgadmin/phppgadmin/archive/refs/tags/REL_7-13-0.tar.gz \
+    && tar -xvf REL_7-13-0.tar.gz && mv phppgadmin-REL_7-13-0/ /usr/share/phpPgAdmin/ \
+    && chown -R apache:apache /usr/share/phpPgAdmin 
+COPY container_files/etc/phpPgAdmin/config.inc.php /usr/share/phpPgAdmin/conf/
+
 COPY container_files/seed-data/ /seed-data/
 COPY container_files/httpd/* /etc/httpd/conf.d/
 COPY container_files/etc/ /etc/

Workbench/directory/container_files/etc/phpPgAdmin/config.inc.php

@@ -0,0 +1,182 @@
+<?php
+
+	/**
+	 * Central phpPgAdmin configuration.  As a user you may modify the
+	 * settings here for your particular configuration.
+	 *
+	 * $Id: config.inc.php-dist,v 1.55 2008/02/18 21:10:31 xzilla Exp $
+	 */
+
+	// An example server.  Create as many of these as you wish,
+	// indexed from zero upwards.
+
+	// Display name for the server on the login screen
+	$conf['servers'][0]['desc'] = 'Grouper DB  (grouper)';
+
+	// Hostname or IP address for server.  Use '' for UNIX domain socket.
+	// use 'localhost' for TCP/IP connection on this computer
+	$conf['servers'][0]['host'] = 'grouper_data';
+
+	// Database port on server (5432 is the PostgreSQL default)
+	$conf['servers'][0]['port'] = 5432;
+
+	// Database SSL mode
+	// Possible options: disable, allow, prefer, require
+	// To require SSL on older servers use option: legacy
+	// To ignore the SSL mode, use option: unspecified
+	//$conf['servers'][0]['sslmode'] = 'allow';
+
+	// Change the default database only if you cannot connect to template1.
+	// For a PostgreSQL 8.1+ server, you can set this to 'postgres'.
+	$conf['servers'][0]['defaultdb'] = 'grouper';
+
+	// Specify the path to the database dump utilities for this server.
+	// You can set these to '' if no dumper is available.
+	$conf['servers'][0]['pg_dump_path'] = '/usr/bin/pg_dump';
+	$conf['servers'][0]['pg_dumpall_path'] = '/usr/bin/pg_dumpall';
+
+	// midPoint
+	$conf['servers'][1]['desc'] = 'midPoint DB  (midpoint)';
+	$conf['servers'][1]['host'] = 'midpoint_data';
+	$conf['servers'][1]['port'] = 5432;
+	//$conf['servers'][1]['sslmode'] = 'allow';
+	$conf['servers'][1]['defaultdb'] = 'midpoint';
+	$conf['servers'][1]['pg_dump_path'] = '/usr/bin/pg_dump';
+	$conf['servers'][1]['pg_dumpall_path'] = '/usr/bin/pg_dumpall';
+
+        // COmanage DB
+        $conf['servers'][2]['desc'] = 'COmanage DB (registry_user)';
+        $conf['servers'][2]['host'] = 'comanage_data';
+        $conf['servers'][2]['port'] = 5432;
+        //$conf['servers'][2]['sslmode'] = 'allow';
+        $conf['servers'][2]['defaultdb'] = 'registry';
+        $conf['servers'][2]['pg_dump_path'] = '/usr/bin/pg_dump';
+        $conf['servers'][2]['pg_dumpall_path'] = '/usr/bin/pg_dumpall';
+
+	/* Groups definition */
+	/* Groups allow administrators to logicaly group servers together under
+	 * group nodes in the left browser tree
+	 *
+	 * The group '0' description
+	 */
+	//$conf['srv_groups'][0]['desc'] = 'group one';
+
+	/* Add here servers indexes belonging to the group '0' separated by comma */
+	//$conf['srv_groups'][0]['servers'] = '0,1,2';
+
+	/* A server can belong to multi groups. Here server 1 is referenced in both
+	 * 'group one' and 'group two'*/
+	//$conf['srv_groups'][1]['desc'] = 'group two';
+	//$conf['srv_groups'][1]['servers'] = '3,1';
+
+	/* A group can be nested in one or more existing groups using the 'parents'
+	 * parameter. Here the group 'group three' contains only one server and will
+	 * appear as a subgroup in both 'group one' and 'group two':
+	 */
+	//$conf['srv_groups'][2]['desc'] = 'group three';
+	//$conf['srv_groups'][2]['servers'] = '4';
+	//$conf['srv_groups'][2]['parents'] = '0,1';
+
+	/* Warning: Only groups with no parents appears at the root of the tree. */
+
+	/* You can apply specific theme depending on servers, users and databases
+	 * The priority order is :
+	 *   * the theme defined for a server
+	 *   * the theme defined for a database apply over the server one
+	 *   * the theme defined for a user apply over the database one
+	 */
+	/* Example for servers */
+	//$conf['servers'][0]['theme']['default'] = 'default';
+	/* Example for users */
+	//$conf['servers'][0]['theme']['user']['specific_user'] = 'default';
+	/* Example for databases */
+	//$conf['servers'][0]['theme']['db']['specific_db'] = 'default';
+
+	// Default language. E.g.: 'english', 'polish', etc.  See lang/ directory
+	// for all possibilities. If you specify 'auto' (the default) it will use
+	// your browser preference.
+	$conf['default_lang'] = 'auto';
+
+	// AutoComplete uses AJAX interaction to list foreign key values
+	// on insert fields. It currently only works on single column
+	// foreign keys. You can choose one of the following values:
+	// 'default on' enables AutoComplete and turns it on by default.
+	// 'default off' enables AutoComplete but turns it off by default.
+	// 'disable' disables AutoComplete.
+	$conf['autocomplete'] = 'default on';
+
+	// If extra login security is true, then logins via phpPgAdmin with no
+	// password or certain usernames (pgsql, postgres, root, administrator)
+	// will be denied. Only set this false once you have read the FAQ and
+	// understand how to change PostgreSQL's pg_hba.conf to enable
+	// passworded local connections.
+	$conf['extra_login_security'] = true;
+
+	// Only show owned databases?
+	// Note: This will simply hide other databases in the list - this does
+	// not in any way prevent your users from seeing other database by
+	// other means. (e.g. Run 'SELECT * FROM pg_database' in the SQL area.)
+	$conf['owned_only'] = false;
+
+	// Display comments on objects?  Comments are a good way of documenting
+	// a database, but they do take up space in the interface.
+	$conf['show_comments'] = true;
+
+	// Display "advanced" objects? Setting this to true will show
+	// aggregates, types, operators, operator classes, conversions,
+	// languages and casts in phpPgAdmin. These objects are rarely
+	// administered and can clutter the interface.
+	$conf['show_advanced'] = false;
+
+	// Display "system" objects?
+	$conf['show_system'] = false;
+
+	// Minimum length users can set their password to.
+	$conf['min_password_length'] = 1;
+
+	// Width of the left frame in pixels (object browser)
+	$conf['left_width'] = 200;
+
+	// Which look & feel theme to use
+	$conf['theme'] = 'default';
+
+	// Show OIDs when browsing tables?
+	// Only supported in versions <=11
+	$conf['show_oids'] = false;
+
+	// Max rows to show on a page when browsing record sets
+	$conf['max_rows'] = 30;
+
+	// Max chars of each field to display by default in browse mode
+	$conf['max_chars'] = 50;
+
+	// Send XHTML strict headers?
+	$conf['use_xhtml_strict'] = false;
+
+	// Base URL for PostgreSQL documentation.
+	// '%s', if present, will be replaced with the PostgreSQL version
+	// (e.g. 8.4 )
+	$conf['help_base'] = 'http://www.postgresql.org/docs/%s/interactive/';
+
+	// Configuration for ajax scripts
+	// Time in seconds. If set to 0, refreshing data using ajax will be disabled (locks and activity pages)
+	$conf['ajax_refresh'] = 3;
+
+	/** Plugins management
+	 * Add plugin names to the following array to activate them
+	 * Example:
+	 *   $conf['plugins'] = array(
+	 *     'Example',
+	 *     'Slony'
+	 *   );
+	 */
+	$conf['plugins'] = array();
+
+	/*****************************************
+	 * Don't modify anything below this line *
+	 *****************************************/
+
+	$conf['version'] = 19;
+
+?>
+

Workbench/directory/container_files/httpd/phpPgAdmin.conf

@@ -0,0 +1,27 @@
+#
+# This configuration file maps the phpPgAdmin directory into the URL space. 
+# By default this application is only accessible from the local host.
+#
+
+Alias /phpPgAdmin /usr/share/phpPgAdmin
+
+<Location /phpPgAdmin>
+    <IfModule mod_authz_core.c>
+        # Apache 2.4
+        <RequireAny>
+           Require all granted
+	   # Require ip 127.0.0.1
+	   # Require ip ::1
+           # Require host example.com
+        </RequireAny>
+    </IfModule>
+    <IfModule !mod_authz_core.c>
+        # Apache 2.2
+        Order deny,allow
+        Deny from all
+        Allow from 127.0.0.1
+        Allow from ::1
+        # Allow from .example.com
+    </IfModule>
+</Location>
+

Workbench/docker-compose.yml

@@ -211,7 +211,7 @@ services:
     build: ./comanage_data/
     environment:
       POSTGRES_USER: registry_user
-      POSTGRES_PASSWORD: 123321
+      POSTGRES_PASSWORD: Password1
       POSTGRES_DB: registry
     networks:
       net:
@@ -231,7 +231,7 @@ services:
     build: ./comanage_midpoint_data/
     environment:
       POSTGRES_USER: comanage_midpoint_loader
-      POSTGRES_PASSWORD: 123321
+      POSTGRES_PASSWORD: Password1
       POSTGRES_DB: comanage_midpoint_loader
     networks:
       net:
@@ -259,8 +259,10 @@ services:
         "
     environment:
      - MP_INIT_DB_CONCAT=/opt/db-init/init.sql
-     - MP_DB_PW=/opt/mp-pw/dbpassword
+     - MP_DB_PW=/run/secrets/m_database_password.txt
      - MP_PW_DEF=/opt/mp-pw/keystorepw
+    secrets:
+     - m_database_password.txt
     volumes:
      - db_init:/opt/db-init
      - mp_pw:/opt/mp-pw
@@ -270,7 +272,7 @@ services:
     command: >
         bash -c "
         rm -f /var/lib/postgresql/data/postmaster.pid ;
-        while [ ! -s /opt/mp-pw/dbpassword -o -e /opt/mp-pw/init_in_progress ] ; do
+        while [ ! -s /run/secrets/m_database_password.txt -o -e /opt/mp-pw/init_in_progress ] ; do
          echo 'Waiting to the end of the init process...';
          sleep 1;
         done ;
@@ -288,9 +290,11 @@ services:
     depends_on:
      - data_init
     environment:
-     - POSTGRES_PASSWORD_FILE=/opt/mp-pw/dbpassword
+     - POSTGRES_PASSWORD_FILE=/run/secrets/m_database_password.txt
      - POSTGRES_USER=midpoint
      - POSTGRES_INITDB_ARGS=--lc-collate=en_US.utf8 --lc-ctype=en_US.utf8
+    secrets:
+     - m_database_password.txt
     ports:
      - 5432:5432 
     healthcheck:
@@ -320,7 +324,7 @@ services:
      - USERTOKEN
      - REPO_DATABASE_TYPE=postgresql
      - MP_SET_midpoint_repository_jdbcUsername=midpoint
-     - MP_SET_midpoint_repository_jdbcPassword_FILE=/opt/mp-pw/dbpassword
+     - MP_SET_midpoint_repository_jdbcPassword_FILE=/run/secrets/m_database_password.txt
      - MP_SET_midpoint_repository_jdbcUrl=jdbc:postgresql://midpoint_data:5432/midpoint
      - MP_SET_midpoint_keystore_keyStorePassword_FILE=/opt/mp-pw/keystorepw
      - MP_SET_server_tomcat_ajp_enabled=true
@@ -339,6 +343,7 @@ services:
         aliases:
          - midpoint-server
     secrets:
+     - m_database_password.txt
      - mp_host-key.pem
      - mp_shibboleth_sp_keys.jks
     volumes:
@@ -610,6 +615,8 @@ secrets:
   rabbitmq_password.txt:
     file: ./configs-and-secrets/grouper/application/rabbitmq_password.txt
 # midPoint
+  m_database_password.txt:
+    file: ./configs-and-secrets/midpoint/application/database_password.txt
   mp_host-key.pem:
     file: ./configs-and-secrets/midpoint/httpd/host-key.pem
   mp_shibboleth_sp_keys.jks:

Workbench/idp/Dockerfile

@@ -1,4 +1,4 @@
-FROM i2incommon/shib-idp:4.3.0_20230118
+FROM i2incommon/shib-idp:5.0.0_20230914_rocky8_multiarch
 
 LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>"
 

Workbench/idp/shibboleth-idp/conf/attribute-filter.xml

@@ -14,6 +14,13 @@
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
         xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd">
 
+    <!-- Release home org signifier to everybody. -->
+    <AttributeFilterPolicy id="alwaysRelease">
+        <PolicyRequirementRule xsi:type="ANY" />
+
+        <AttributeRule attributeID="schacHomeOrganization" permitAny="true" />
+    </AttributeFilterPolicy>
+
     <!--
     Example rule relying on a locally applied tag in metadata to trigger attribute
     release of some specific attributes. Add additional attributes as desired.

Workbench/idp/shibboleth-idp/conf/relying-party.xml

@@ -33,18 +33,17 @@
             <list>
                 <!-- SAML 1.1 and SAML 2.0 AttributeQuery are disabled by default. -->
                 <!--
-                <bean parent="Shibboleth.SSO" />
+                <ref bean="Shibboleth.SSO" />
                 <ref bean="SAML1.AttributeQuery" />
                 <ref bean="SAML1.ArtifactResolution" />
                 -->
-                <bean parent="SAML2.SSO.MDDriven" />
+                <ref bean="SAML2.SSO.MDDriven" />
                 <ref bean="SAML2.ECP" />
                 <ref bean="SAML2.Logout" />
                 <!--
                 <ref bean="SAML2.AttributeQuery" />
                 -->
                 <ref bean="SAML2.ArtifactResolution" />
-                <ref bean="Liberty.SSOS" />
             </list>
         </property>
     </bean>

Workbench/midpoint_server/container_files/mp-home/post-initial-objects/resources/100-guest-db.xml

@@ -17,7 +17,7 @@
             <gen605:port>5432</gen605:port>
             <gen605:user>comanage_midpoint_loader</gen605:user>
             <gen605:password>
-				<clearValue>123321</clearValue>
+				<clearValue>Password1</clearValue>
             </gen605:password>
             <gen605:database>comanage_midpoint_loader</gen605:database>
             <gen605:table>vwPersons</gen605:table>