fixes for overzealous cleanup

Workbench/ad/container_files/start.sh

@@ -0,0 +1,129 @@
+#!/bin/bash
+# based on work at https://github.com/Fmstrat/samba-domain
+
+set -e
+
+appSetup () {
+
+	# Set variables
+	DOMAIN=${DOMAIN:-SAMDOM.LOCAL}
+	DOMAINPASS=${DOMAINPASS:-password}
+	JOIN=${JOIN:-false}
+	JOINSITE=${JOINSITE:-NONE}
+	MULTISITE=${MULTISITE:-false}
+	NOCOMPLEXITY=${NOCOMPLEXITY:-false}
+	INSECURELDAP=${INSECURELDAP:-false}
+	DNSFORWARDER=${DNSFORWARDER:-NONE}
+	HOSTIP=${HOSTIP:-NONE}
+
+	LDOMAIN=${DOMAIN,,}
+	UDOMAIN=${DOMAIN^^}
+	URDOMAIN=${UDOMAIN%%.*}
+
+	# If multi-site, we need to connect to the VPN before joining the domain
+	if [[ ${MULTISITE,,} == "true" ]]; then
+		/usr/sbin/openvpn --config /docker.ovpn &
+		VPNPID=$!
+		echo "Sleeping 30s to ensure VPN connects ($VPNPID)";
+		sleep 30
+	fi
+
+        # Set host ip option
+        if [[ "$HOSTIP" != "NONE" ]]; then
+		HOSTIP_OPTION="--host-ip=$HOSTIP"
+        else
+		HOSTIP_OPTION=""
+        fi
+
+	# Set up samba
+	mv /etc/krb5.conf /etc/krb5.conf.orig
+	echo "[libdefaults]" > /etc/krb5.conf
+	echo "    dns_lookup_realm = false" >> /etc/krb5.conf
+	echo "    dns_lookup_kdc = true" >> /etc/krb5.conf
+	echo "    default_realm = ${UDOMAIN}" >> /etc/krb5.conf
+	# If the finished file isn't there, this is brand new, we're not just moving to a new container
+	if [[ ! -f /etc/samba/external/smb.conf ]]; then
+		mv /etc/samba/smb.conf /etc/samba/smb.conf.orig
+		if [[ ${JOIN,,} == "true" ]]; then
+			if [[ ${JOINSITE} == "NONE" ]]; then
+				samba-tool domain join ${LDOMAIN} DC -U"${URDOMAIN}\administrator" --password="${DOMAINPASS}" --dns-backend=SAMBA_INTERNAL
+			else
+				samba-tool domain join ${LDOMAIN} DC -U"${URDOMAIN}\administrator" --password="${DOMAINPASS}" --dns-backend=SAMBA_INTERNAL --site=${JOINSITE}
+			fi
+		else
+			samba-tool domain provision --use-rfc2307 --domain=${URDOMAIN} --realm=${UDOMAIN} --server-role=dc --dns-backend=SAMBA_INTERNAL --adminpass=${DOMAINPASS} ${HOSTIP_OPTION}
+			if [[ ${NOCOMPLEXITY,,} == "true" ]]; then
+				samba-tool domain passwordsettings set --complexity=off
+				samba-tool domain passwordsettings set --history-length=0
+				samba-tool domain passwordsettings set --min-pwd-age=0
+				samba-tool domain passwordsettings set --max-pwd-age=0
+			fi
+		fi
+		sed -i "/\[global\]/a \
+			\\\tidmap_ldb:use rfc2307 = yes\\n\
+			wins support = yes\\n\
+			template shell = /bin/bash\\n\
+			winbind nss info = rfc2307\\n\
+			idmap config ${URDOMAIN}: range = 10000-20000\\n\
+			idmap config ${URDOMAIN}: backend = ad\
+			" /etc/samba/smb.conf
+		if [[ $DNSFORWARDER != "NONE" ]]; then
+			sed -i "/\[global\]/a \
+				\\\tdns forwarder = ${DNSFORWARDER}\
+				" /etc/samba/smb.conf
+		fi
+		if [[ ${INSECURELDAP,,} == "true" ]]; then
+			sed -i "/\[global\]/a \
+				\\\tldap server require strong auth = no\
+				" /etc/samba/smb.conf
+		fi
+		# Once we are set up, we'll make a file so that we know to use it if we ever spin this up again
+		cp /etc/samba/smb.conf /etc/samba/external/smb.conf
+	else
+		cp /etc/samba/external/smb.conf /etc/samba/smb.conf
+	fi
+
+	# Set up supervisor
+	echo "[supervisord]" > /etc/supervisor/conf.d/supervisord.conf
+	echo "nodaemon=true" >> /etc/supervisor/conf.d/supervisord.conf
+	echo "" >> /etc/supervisor/conf.d/supervisord.conf
+	echo "[program:samba]" >> /etc/supervisor/conf.d/supervisord.conf
+	echo "command=/usr/sbin/samba -i" >> /etc/supervisor/conf.d/supervisord.conf
+	if [[ ${MULTISITE,,} == "true" ]]; then
+		if [[ -n $VPNPID ]]; then
+			kill $VPNPID
+		fi
+		echo "" >> /etc/supervisor/conf.d/supervisord.conf
+		echo "[program:openvpn]" >> /etc/supervisor/conf.d/supervisord.conf
+		echo "command=/usr/sbin/openvpn --config /docker.ovpn" >> /etc/supervisor/conf.d/supervisord.conf
+	fi
+
+	appStart
+}
+
+appStart () {
+	/usr/bin/supervisord
+}
+
+case "$1" in
+	start)
+		if [[ -f /etc/samba/external/smb.conf ]]; then
+			cp /etc/samba/external/smb.conf /etc/samba/smb.conf
+			appStart
+		else
+			echo "Config file is missing."
+		fi
+		;;
+	setup)
+		# If the supervisor conf isn't there, we're spinning up a new container
+		if [[ -f /etc/supervisor/conf.d/supervisord.conf ]]; then
+			appStart
+		else
+			appSetup
+		fi
+		;;
+esac
+
+exit 0
+
+

Workbench/comanage/container_files/system/setservername.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+files="/etc/shibboleth/idp-metadata.xml"
+
+for file in $files
+  do
+    sed -i "s|__CSPHOSTNAME__|$CSPHOSTNAME|g" $file
+  done
+

Workbench/comanage_cron/Dockerfile

@@ -36,9 +36,9 @@ RUN mkdir -p /srv/comanage-registry/local/Plugin/
 RUN ln -s /srv/comanage-registry/app/AvailablePlugin/SqlProvisioner /srv/comanage-registry/local/Plugin/
 
 COPY container_files/system/setupcroncomanage.sh /usr/local/bin/setupcroncomanage.sh
-COPY container_files/system/runcomangejob.sh /usr/local/bin/
+COPY container_files/system/runcomanagejob.sh /usr/local/bin/
 COPY --chown=www-data:www-data container_files/system/root-crontab /usr/local/etc
-RUN chmod 755 /usr/local/bin/runcomangejob.sh && \
+RUN chmod 755 /usr/local/bin/runcomanagejob.sh && \
     /usr/bin/crontab -u www-data /usr/local/etc/root-crontab
 
 ENV COMANAGE_REGISTRY_CRONTAB=/usr/local/etc/root-crontab

Workbench/comanage_cron/container_files/system/runcomanagejob.sh

@@ -0,0 +1,16 @@
+#!/bin/bash
+
+# ensure php is in the path
+export PATH=$PATH:/usr/local/bin
+
+if [ "$#" -ne 1 ]; 
+    then 
+    echo Executing job to run expirations, syncorgsources, and groupvalidity tasks
+    cd /srv/comanage-registry/app && Console/cake job -q
+    exit
+fi
+
+echo Executing job shell for CO number $1
+cd /srv/comanage-registry/app && Console/cake job -q -r -c $1
+echo Done executing job shell for CO number $1
+

Workbench/comanage_cron/container_files/system/setupcroncomanage.sh

@@ -0,0 +1,37 @@
+#!/bin/bash
+
+# COmanage Registry shell script to install TIER beacon crontab
+#
+# Portions licensed to the University Corporation for Advanced Internet
+# Development, Inc. ("UCAID") under one or more contributor license agreements.
+# See the NOTICE file distributed with this work for additional information
+# regarding copyright ownership.
+#
+# UCAID licenses this file to you under the Apache License, Version 2.0
+# (the "License"); you may not use this file except in compliance with the
+# License. You may obtain a copy of the License at:
+#
+# http://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+CRONFILE='/tmp/cronfile'
+
+# Set up job scripts for COmanage Cos
+
+echo "# Run the job queue for CO 1 every 5 minutes" >> "${CRONFILE}"
+#echo "0,5,10,15,20,25,30,35,40,45,50,55 * * * *    cd /srv/comanage-registry/app && Console/cake job -q -r -c 1 >> /tmp/cron.log" >> "${CRONFILE}"
+echo "* * * * *  /usr/local/bin/runcomangejob.sh 1" >> "${CRONFILE}"
+echo "# Run the job queue for CO 2 every 5 minutes, but 2 minutes later than for CO 1" >> "${CRONFILE}"
+echo "0,5,10,15,20,25,30,35,40,45,50,55 * * * *    /usr/local/bin/runcomangejob.sh 2 "  >> "${CRONFILE}"
+echo "# TODO support an arbitrary number of COs for jobshell" >> "${CRONFILE}"
+echo "# Deprecated job to run expirations, syncorgsources, and groupvalidity tasks (until Registry v4.0.0)" >> "${CRONFILE}"
+echo "0 * * * *    cd /srv/comanage-registry/app && Console/cake job -q" >> "${CRONFILE}"
+
+chmod 644 "${CRONFILE}"
+crontab "${CRONFILE}"
+

Workbench/grouper_data/container_files/bootstrap/initialize.gsh

@@ -0,0 +1,98 @@
+System.out.println("************** initialize.gsh starting...")
+
+gs = GrouperSession.startRootSession()
+
+addStem("", "app", "app")
+addStem("", "basis", "basis")
+addStem("", "bundle", "bundle")
+addStem("", "org", "org")
+addStem("", "test", "test")
+
+addRootStem("ref", "ref")
+addStem("ref", "course", "Course")
+addStem("ref", "dept", "Department")
+addStem("ref", "affiliation", "Affiliation")
+
+new GroupSave().assignName("ref:affiliation:alum").assignDisplayName("Alumni").assignCreateParentStemsIfNotExist(true).save();
+new GroupSave().assignName("ref:affiliation:community").assignDisplayName("Community").assignCreateParentStemsIfNotExist(true).save();
+new GroupSave().assignName("ref:affiliation:faculty").assignDisplayName("Faculty").assignCreateParentStemsIfNotExist(true).save();
+new GroupSave().assignName("ref:affiliation:member").assignDisplayName("Member").assignCreateParentStemsIfNotExist(true).save();
+new GroupSave().assignName("ref:affiliation:staff").assignDisplayName("Staff").assignCreateParentStemsIfNotExist(true).save();
+new GroupSave().assignName("ref:affiliation:student").assignDisplayName("Student").assignCreateParentStemsIfNotExist(true).save();
+
+group = GroupFinder.findByName(gs, "etc:sysadmingroup", true)
+group.getAttributeDelegate().assignAttribute(LoaderLdapUtils.grouperLoaderLdapAttributeDefName()).getAttributeAssign()
+attributeAssign = group.getAttributeDelegate().retrieveAssignment(null, LoaderLdapUtils.grouperLoaderLdapAttributeDefName(), false, true)
+attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapQuartzCronName(), "0 * * * * ?")
+attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapTypeName(), "LDAP_SIMPLE")
+attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapFilterName(), "(cn=sysadmingroup)")
+attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSearchDnName(), "ou=midpoint,ou=Groups")
+attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapServerIdName(), "demo")
+attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSourceIdName(), "ldap")
+attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectExpressionName(), '${loaderLdapElUtils.convertDnToSpecificValue(subjectId)}')
+attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectAttributeName(), "uniqueMember")
+attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectIdTypeName(), "subjectId")
+
+admins = new GroupSave(gs).assignName("app:wordpress:admins").assignCreateParentStemsIfNotExist(true).save()
+editors = new GroupSave(gs).assignName("app:wordpress:editors").assignCreateParentStemsIfNotExist(true).save()
+chess = new GroupSave(gs).assignName("app:mailinglist:chess").assignCreateParentStemsIfNotExist(true).save()
+idmfans = new GroupSave(gs).assignName("app:mailinglist:idm-fans").assignCreateParentStemsIfNotExist(true).save()
+cs = new GroupSave(gs).assignName("app:cs").assignCreateParentStemsIfNotExist(true).save()
+volunteers = new GroupSave(gs).assignName("test:volunteers").assignCreateParentStemsIfNotExist(true).save()
+
+
+group = new GroupSave(gs).assignName("etc:affiliationLoader").assignCreateParentStemsIfNotExist(true).save()
+group.addType(GroupTypeFinder.find("grouperLoader"))
+group.setAttribute("grouperLoaderDbName", "sis")
+group.setAttribute("grouperLoaderType", "SQL_GROUP_LIST")
+group.setAttribute("grouperLoaderScheduleType", "CRON")
+group.setAttribute("grouperLoaderQuartzCron", "0 * * * * ?")
+group.setAttribute("grouperLoaderDbName", "sis")
+group.setAttribute("grouperLoaderGroupTypes", "addIncludeExclude")
+group.setAttribute("grouperLoaderQuery", "SELECT concat('ref:affiliation:',affiliation,'_systemOfRecord') as GROUP_NAME, uid as SUBJECT_IDENTIFIER, 'ldap' as SUBJECT_SOURCE_ID from SIS_AFFILIATIONS")
+
+group = new GroupSave(gs).assignName("etc:deptLoader").assignCreateParentStemsIfNotExist(true).save()
+group.addType(GroupTypeFinder.find("grouperLoader"))
+group.setAttribute("grouperLoaderDbName", "sis")
+group.setAttribute("grouperLoaderType", "SQL_GROUP_LIST")
+group.setAttribute("grouperLoaderScheduleType", "CRON")
+group.setAttribute("grouperLoaderQuartzCron", "0 * * * * ?")
+group.setAttribute("grouperLoaderDbName", "sis")
+group.setAttribute("grouperLoaderQuery", "SELECT concat('ref:dept:',department) as GROUP_NAME, uid as SUBJECT_IDENTIFIER, 'ldap' as SUBJECT_SOURCE_ID from SIS_PERSONS where department is not null")
+
+group = new GroupSave(gs).assignName("etc:coursesLoader").assignCreateParentStemsIfNotExist(true).save()
+group.addType(GroupTypeFinder.find("grouperLoader"))
+group.setAttribute("grouperLoaderDbName", "sis")
+group.setAttribute("grouperLoaderType", "SQL_GROUP_LIST")
+group.setAttribute("grouperLoaderScheduleType", "CRON")
+group.setAttribute("grouperLoaderQuartzCron", "0 * * * * ?")
+group.setAttribute("grouperLoaderDbName", "sis")
+group.setAttribute("grouperLoaderQuery", "SELECT concat('ref:course:',courseId) as GROUP_NAME, uid as SUBJECT_IDENTIFIER, 'ldap' as SUBJECT_SOURCE_ID from SIS_COURSES")
+
+edu.internet2.middleware.grouper.app.loader.GrouperLoaderType.scheduleLoads()
+
+
+
+def addGroups(gs,stem,owner,regexp) {
+	for (group in stem.childGroups) {
+		if (!group.name.endsWith('_includes') &&
+		    !group.name.endsWith('_excludes') &&
+		    !group.name.endsWith('_systemOfRecord') &&
+		    !group.name.endsWith('_systemOfRecordAndIncludes') &&
+		    (regexp == null || group.extension ==~ regexp)) {
+			println 'Adding: ' + group
+			def s = SubjectFinder.findById(group.getId(), 'group', 'g:gsa')
+			owner.addMember(s, false)
+		} else {
+			println 'Ignoring: ' + group
+		}
+	}
+}
+
+def cs = GroupFinder.findByName(gs, "app:cs", true)
+
+gs = GrouperSession.startRootSession()
+addGroups(gs, StemFinder.findByName(gs, 'ref:course'), cs, /CS.*/)
+
+System.out.println("************** initialize.gsh done.")
+

Workbench/grouper_data/container_files/bootstrap/set-prov.gsh

@@ -0,0 +1,37 @@
+
+provisioner_name="midPoint";
+GrouperSession grouperSession = GrouperSession.startRootSession();
+
+def setProvOnStem(grouperSession,provisioner_name,folder_name) {
+  AttributeAssign attributeAssignMarker = null;
+  attributeAssignMarker = new AttributeAssignSave(grouperSession).assignOwnerStemName(folder_name).assignNameOfAttributeDefName("etc:provisioning:provisioningMarker").save();
+  new AttributeAssignSave(grouperSession).assignOwnerAttributeAssign(attributeAssignMarker).assignNameOfAttributeDefName("etc:provisioning:provisioningDirectAssign").addValue("true").save();
+  new AttributeAssignSave(grouperSession).assignOwnerAttributeAssign(attributeAssignMarker).assignNameOfAttributeDefName("etc:provisioning:provisioningDoProvision").addValue(provisioner_name).save();
+  new AttributeAssignSave(grouperSession).assignOwnerAttributeAssign(attributeAssignMarker).assignNameOfAttributeDefName("etc:provisioning:provisioningStemScope").addValue("sub").save();
+  new AttributeAssignSave(grouperSession).assignOwnerAttributeAssign(attributeAssignMarker).assignNameOfAttributeDefName("etc:provisioning:provisioningTarget").addValue(provisioner_name).save();
+  new AttributeAssignSave(grouperSession).assignOwnerAttributeAssign(attributeAssignMarker).assignNameOfAttributeDefName("etc:provisioning:provisioningMetadataJson").addValue("{\"destination\":\"midpoint\",\"actor\":\"initial load\"}").save();
+
+}
+
+def setProvOnGroup(grouperSession,provisioner_name,group_name) {
+  AttributeAssign attributeAssignMarker = null;
+  attributeAssignMarker = new AttributeAssignSave(grouperSession).assignOwnerGroupName(group_name).assignNameOfAttributeDefName("etc:provisioning:provisioningMarker").save();
+  new AttributeAssignSave(grouperSession).assignOwnerAttributeAssign(attributeAssignMarker).assignNameOfAttributeDefName("etc:provisioning:provisioningDirectAssign").addValue("true").save();
+  new AttributeAssignSave(grouperSession).assignOwnerAttributeAssign(attributeAssignMarker).assignNameOfAttributeDefName("etc:provisioning:provisioningDoProvision").addValue(provisioner_name).save();
+  new AttributeAssignSave(grouperSession).assignOwnerAttributeAssign(attributeAssignMarker).assignNameOfAttributeDefName("etc:provisioning:provisioningStemScope").addValue("sub").save();
+  new AttributeAssignSave(grouperSession).assignOwnerAttributeAssign(attributeAssignMarker).assignNameOfAttributeDefName("etc:provisioning:provisioningTarget").addValue(provisioner_name).save();
+  new AttributeAssignSave(grouperSession).assignOwnerAttributeAssign(attributeAssignMarker).assignNameOfAttributeDefName("etc:provisioning:provisioningMetadataJson").addValue("{\"destination\":\"midpoint\",\"actor\":\"initial load\"}").save();
+
+}
+
+setProvOnStem(grouperSession,provisioner_name,"app")
+setProvOnStem(grouperSession,provisioner_name,"test")
+setProvOnStem(grouperSession,provisioner_name,"ref:dept")
+setProvOnStem(grouperSession,provisioner_name,"ref:course")
+setProvOnGroup(grouperSession,provisioner_name,"ref:affiliation:alum")
+setProvOnGroup(grouperSession,provisioner_name,"ref:affiliation:community")
+setProvOnGroup(grouperSession,provisioner_name,"ref:affiliation:faculty")
+setProvOnGroup(grouperSession,provisioner_name,"ref:affiliation:member")
+setProvOnGroup(grouperSession,provisioner_name,"ref:affiliation:staff")
+setProvOnGroup(grouperSession,provisioner_name,"ref:affiliation:student")
+

Workbench/grouper_ui/container_files/system/setservername.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+files="/etc/shibboleth/idp-metadata.xml"
+
+for file in $files
+  do
+    sed -i "s|__CSPHOSTNAME__|$CSPHOSTNAME|g" $file
+  done
+

Workbench/idp/container_files/system/setservername.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+files="/opt/shibboleth-idp/metadata/idp-metadata.xml /opt/shibboleth-idp/metadata/idpui-sp.xml"
+
+for file in $files
+  do
+    sed -i "s|__CSPHOSTNAME__|$CSPHOSTNAME|g" $file
+  done
+

Workbench/idp_ui/container_files/system/setservername.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+files="/opt/shibui/application.yml /opt/shibui/saml/idp-metadata.xml"
+
+for file in $files
+  do
+    sed -i "s|__CSPHOSTNAME__|$CSPHOSTNAME|g" $file
+  done
+

Workbench/midpoint_server/container_files/system/setservername.sh

@@ -0,0 +1,10 @@
+#!/bin/bash
+
+files="/opt/midpoint/var/post-initial-objects/securityPolicy/000-security-policy.xml /etc/shibboleth/idp-metadata.xml"
+
+for file in $files
+  do
+    echo "Editing file $file with value $CSPHOSTNAME"
+    sed -i "s|__CSPHOSTNAME__|$CSPHOSTNAME|g" $file
+  done
+

Workbench/mq/container_files/usr-local-bin/demo-entrypoint.sh

@@ -0,0 +1,9 @@
+#!/bin/bash
+
+if [ ! -e $RABBITMQ_INIT_DONE_FILE ]; then
+    /usr/local/bin/initialize-rabbitmq.sh &
+else
+    echo "RabbitMQ was already initialized"
+fi
+/usr/local/bin/entrypoint.sh "$@"
+