From 5d4a28416cdd0176b141f2610fc005b346f52282 Mon Sep 17 00:00:00 2001 From: Paul Caskey Date: Sat, 26 Aug 2023 12:38:11 +0000 Subject: [PATCH] fixes for overzealous cleanup --- Workbench/ad/container_files/start.sh | 129 ++++++++++++ .../container_files/system/setservername.sh | 9 + Workbench/comanage_cron/Dockerfile | 4 +- .../container_files/system/runcomanagejob.sh | 16 ++ .../system/setupcroncomanage.sh | 37 ++++ .../container_files/bootstrap/initialize.gsh | 98 ++++++++++ .../container_files/bootstrap/set-prov.gsh | 37 ++++ .../container_files/system/setservername.sh | 9 + .../container_files/system/setservername.sh | 9 + .../container_files/system/setservername.sh | 9 + .../container_files/system/setservername.sh | 10 + .../usr-local-bin/demo-entrypoint.sh | 9 + .../usr-local-bin/initialize-rabbitmq.sh | 13 ++ .../container_files/mdload/addAttrRel.sh | 21 ++ .../webproxy/container_files/mdload/loadMD.sh | 55 ++++++ .../container_files/mdload/wait-for-it.sh | 183 ++++++++++++++++++ .../container_files/system/setservername.sh | 9 + .../container_files/system/startWithMDLoad.sh | 13 ++ .../container_files/system/setservername.sh | 9 + .../container_files/wordpress/sed.sh | 15 ++ 20 files changed, 692 insertions(+), 2 deletions(-) create mode 100755 Workbench/ad/container_files/start.sh create mode 100755 Workbench/comanage/container_files/system/setservername.sh create mode 100755 Workbench/comanage_cron/container_files/system/runcomanagejob.sh create mode 100755 Workbench/comanage_cron/container_files/system/setupcroncomanage.sh create mode 100644 Workbench/grouper_data/container_files/bootstrap/initialize.gsh create mode 100644 Workbench/grouper_data/container_files/bootstrap/set-prov.gsh create mode 100755 Workbench/grouper_ui/container_files/system/setservername.sh create mode 100755 Workbench/idp/container_files/system/setservername.sh create mode 100755 Workbench/idp_ui/container_files/system/setservername.sh create mode 100755 Workbench/midpoint_server/container_files/system/setservername.sh create mode 100755 Workbench/mq/container_files/usr-local-bin/demo-entrypoint.sh create mode 100755 Workbench/mq/container_files/usr-local-bin/initialize-rabbitmq.sh create mode 100755 Workbench/webproxy/container_files/mdload/addAttrRel.sh create mode 100755 Workbench/webproxy/container_files/mdload/loadMD.sh create mode 100755 Workbench/webproxy/container_files/mdload/wait-for-it.sh create mode 100755 Workbench/webproxy/container_files/system/setservername.sh create mode 100755 Workbench/webproxy/container_files/system/startWithMDLoad.sh create mode 100755 Workbench/wordpress_server/container_files/system/setservername.sh create mode 100755 Workbench/wordpress_server/container_files/wordpress/sed.sh diff --git a/Workbench/ad/container_files/start.sh b/Workbench/ad/container_files/start.sh new file mode 100755 index 0000000..a40915e --- /dev/null +++ b/Workbench/ad/container_files/start.sh @@ -0,0 +1,129 @@ +#!/bin/bash +# based on work at https://github.com/Fmstrat/samba-domain + +set -e + +appSetup () { + + # Set variables + DOMAIN=${DOMAIN:-SAMDOM.LOCAL} + DOMAINPASS=${DOMAINPASS:-password} + JOIN=${JOIN:-false} + JOINSITE=${JOINSITE:-NONE} + MULTISITE=${MULTISITE:-false} + NOCOMPLEXITY=${NOCOMPLEXITY:-false} + INSECURELDAP=${INSECURELDAP:-false} + DNSFORWARDER=${DNSFORWARDER:-NONE} + HOSTIP=${HOSTIP:-NONE} + + LDOMAIN=${DOMAIN,,} + UDOMAIN=${DOMAIN^^} + URDOMAIN=${UDOMAIN%%.*} + + # If multi-site, we need to connect to the VPN before joining the domain + if [[ ${MULTISITE,,} == "true" ]]; then + /usr/sbin/openvpn --config /docker.ovpn & + VPNPID=$! + echo "Sleeping 30s to ensure VPN connects ($VPNPID)"; + sleep 30 + fi + + # Set host ip option + if [[ "$HOSTIP" != "NONE" ]]; then + HOSTIP_OPTION="--host-ip=$HOSTIP" + else + HOSTIP_OPTION="" + fi + + # Set up samba + mv /etc/krb5.conf /etc/krb5.conf.orig + echo "[libdefaults]" > /etc/krb5.conf + echo " dns_lookup_realm = false" >> /etc/krb5.conf + echo " dns_lookup_kdc = true" >> /etc/krb5.conf + echo " default_realm = ${UDOMAIN}" >> /etc/krb5.conf + # If the finished file isn't there, this is brand new, we're not just moving to a new container + if [[ ! -f /etc/samba/external/smb.conf ]]; then + mv /etc/samba/smb.conf /etc/samba/smb.conf.orig + if [[ ${JOIN,,} == "true" ]]; then + if [[ ${JOINSITE} == "NONE" ]]; then + samba-tool domain join ${LDOMAIN} DC -U"${URDOMAIN}\administrator" --password="${DOMAINPASS}" --dns-backend=SAMBA_INTERNAL + else + samba-tool domain join ${LDOMAIN} DC -U"${URDOMAIN}\administrator" --password="${DOMAINPASS}" --dns-backend=SAMBA_INTERNAL --site=${JOINSITE} + fi + else + samba-tool domain provision --use-rfc2307 --domain=${URDOMAIN} --realm=${UDOMAIN} --server-role=dc --dns-backend=SAMBA_INTERNAL --adminpass=${DOMAINPASS} ${HOSTIP_OPTION} + if [[ ${NOCOMPLEXITY,,} == "true" ]]; then + samba-tool domain passwordsettings set --complexity=off + samba-tool domain passwordsettings set --history-length=0 + samba-tool domain passwordsettings set --min-pwd-age=0 + samba-tool domain passwordsettings set --max-pwd-age=0 + fi + fi + sed -i "/\[global\]/a \ + \\\tidmap_ldb:use rfc2307 = yes\\n\ + wins support = yes\\n\ + template shell = /bin/bash\\n\ + winbind nss info = rfc2307\\n\ + idmap config ${URDOMAIN}: range = 10000-20000\\n\ + idmap config ${URDOMAIN}: backend = ad\ + " /etc/samba/smb.conf + if [[ $DNSFORWARDER != "NONE" ]]; then + sed -i "/\[global\]/a \ + \\\tdns forwarder = ${DNSFORWARDER}\ + " /etc/samba/smb.conf + fi + if [[ ${INSECURELDAP,,} == "true" ]]; then + sed -i "/\[global\]/a \ + \\\tldap server require strong auth = no\ + " /etc/samba/smb.conf + fi + # Once we are set up, we'll make a file so that we know to use it if we ever spin this up again + cp /etc/samba/smb.conf /etc/samba/external/smb.conf + else + cp /etc/samba/external/smb.conf /etc/samba/smb.conf + fi + + # Set up supervisor + echo "[supervisord]" > /etc/supervisor/conf.d/supervisord.conf + echo "nodaemon=true" >> /etc/supervisor/conf.d/supervisord.conf + echo "" >> /etc/supervisor/conf.d/supervisord.conf + echo "[program:samba]" >> /etc/supervisor/conf.d/supervisord.conf + echo "command=/usr/sbin/samba -i" >> /etc/supervisor/conf.d/supervisord.conf + if [[ ${MULTISITE,,} == "true" ]]; then + if [[ -n $VPNPID ]]; then + kill $VPNPID + fi + echo "" >> /etc/supervisor/conf.d/supervisord.conf + echo "[program:openvpn]" >> /etc/supervisor/conf.d/supervisord.conf + echo "command=/usr/sbin/openvpn --config /docker.ovpn" >> /etc/supervisor/conf.d/supervisord.conf + fi + + appStart +} + +appStart () { + /usr/bin/supervisord +} + +case "$1" in + start) + if [[ -f /etc/samba/external/smb.conf ]]; then + cp /etc/samba/external/smb.conf /etc/samba/smb.conf + appStart + else + echo "Config file is missing." + fi + ;; + setup) + # If the supervisor conf isn't there, we're spinning up a new container + if [[ -f /etc/supervisor/conf.d/supervisord.conf ]]; then + appStart + else + appSetup + fi + ;; +esac + +exit 0 + + diff --git a/Workbench/comanage/container_files/system/setservername.sh b/Workbench/comanage/container_files/system/setservername.sh new file mode 100755 index 0000000..20b9d05 --- /dev/null +++ b/Workbench/comanage/container_files/system/setservername.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +files="/etc/shibboleth/idp-metadata.xml" + +for file in $files + do + sed -i "s|__CSPHOSTNAME__|$CSPHOSTNAME|g" $file + done + diff --git a/Workbench/comanage_cron/Dockerfile b/Workbench/comanage_cron/Dockerfile index 47ed382..c345357 100644 --- a/Workbench/comanage_cron/Dockerfile +++ b/Workbench/comanage_cron/Dockerfile @@ -36,9 +36,9 @@ RUN mkdir -p /srv/comanage-registry/local/Plugin/ RUN ln -s /srv/comanage-registry/app/AvailablePlugin/SqlProvisioner /srv/comanage-registry/local/Plugin/ COPY container_files/system/setupcroncomanage.sh /usr/local/bin/setupcroncomanage.sh -COPY container_files/system/runcomangejob.sh /usr/local/bin/ +COPY container_files/system/runcomanagejob.sh /usr/local/bin/ COPY --chown=www-data:www-data container_files/system/root-crontab /usr/local/etc -RUN chmod 755 /usr/local/bin/runcomangejob.sh && \ +RUN chmod 755 /usr/local/bin/runcomanagejob.sh && \ /usr/bin/crontab -u www-data /usr/local/etc/root-crontab ENV COMANAGE_REGISTRY_CRONTAB=/usr/local/etc/root-crontab diff --git a/Workbench/comanage_cron/container_files/system/runcomanagejob.sh b/Workbench/comanage_cron/container_files/system/runcomanagejob.sh new file mode 100755 index 0000000..6a804ad --- /dev/null +++ b/Workbench/comanage_cron/container_files/system/runcomanagejob.sh @@ -0,0 +1,16 @@ +#!/bin/bash + +# ensure php is in the path +export PATH=$PATH:/usr/local/bin + +if [ "$#" -ne 1 ]; + then + echo Executing job to run expirations, syncorgsources, and groupvalidity tasks + cd /srv/comanage-registry/app && Console/cake job -q + exit +fi + +echo Executing job shell for CO number $1 +cd /srv/comanage-registry/app && Console/cake job -q -r -c $1 +echo Done executing job shell for CO number $1 + diff --git a/Workbench/comanage_cron/container_files/system/setupcroncomanage.sh b/Workbench/comanage_cron/container_files/system/setupcroncomanage.sh new file mode 100755 index 0000000..17ed283 --- /dev/null +++ b/Workbench/comanage_cron/container_files/system/setupcroncomanage.sh @@ -0,0 +1,37 @@ +#!/bin/bash + +# COmanage Registry shell script to install TIER beacon crontab +# +# Portions licensed to the University Corporation for Advanced Internet +# Development, Inc. ("UCAID") under one or more contributor license agreements. +# See the NOTICE file distributed with this work for additional information +# regarding copyright ownership. +# +# UCAID licenses this file to you under the Apache License, Version 2.0 +# (the "License"); you may not use this file except in compliance with the +# License. You may obtain a copy of the License at: +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +CRONFILE='/tmp/cronfile' + +# Set up job scripts for COmanage Cos + +echo "# Run the job queue for CO 1 every 5 minutes" >> "${CRONFILE}" +#echo "0,5,10,15,20,25,30,35,40,45,50,55 * * * * cd /srv/comanage-registry/app && Console/cake job -q -r -c 1 >> /tmp/cron.log" >> "${CRONFILE}" +echo "* * * * * /usr/local/bin/runcomangejob.sh 1" >> "${CRONFILE}" +echo "# Run the job queue for CO 2 every 5 minutes, but 2 minutes later than for CO 1" >> "${CRONFILE}" +echo "0,5,10,15,20,25,30,35,40,45,50,55 * * * * /usr/local/bin/runcomangejob.sh 2 " >> "${CRONFILE}" +echo "# TODO support an arbitrary number of COs for jobshell" >> "${CRONFILE}" +echo "# Deprecated job to run expirations, syncorgsources, and groupvalidity tasks (until Registry v4.0.0)" >> "${CRONFILE}" +echo "0 * * * * cd /srv/comanage-registry/app && Console/cake job -q" >> "${CRONFILE}" + +chmod 644 "${CRONFILE}" +crontab "${CRONFILE}" + diff --git a/Workbench/grouper_data/container_files/bootstrap/initialize.gsh b/Workbench/grouper_data/container_files/bootstrap/initialize.gsh new file mode 100644 index 0000000..eacf873 --- /dev/null +++ b/Workbench/grouper_data/container_files/bootstrap/initialize.gsh @@ -0,0 +1,98 @@ +System.out.println("************** initialize.gsh starting...") + +gs = GrouperSession.startRootSession() + +addStem("", "app", "app") +addStem("", "basis", "basis") +addStem("", "bundle", "bundle") +addStem("", "org", "org") +addStem("", "test", "test") + +addRootStem("ref", "ref") +addStem("ref", "course", "Course") +addStem("ref", "dept", "Department") +addStem("ref", "affiliation", "Affiliation") + +new GroupSave().assignName("ref:affiliation:alum").assignDisplayName("Alumni").assignCreateParentStemsIfNotExist(true).save(); +new GroupSave().assignName("ref:affiliation:community").assignDisplayName("Community").assignCreateParentStemsIfNotExist(true).save(); +new GroupSave().assignName("ref:affiliation:faculty").assignDisplayName("Faculty").assignCreateParentStemsIfNotExist(true).save(); +new GroupSave().assignName("ref:affiliation:member").assignDisplayName("Member").assignCreateParentStemsIfNotExist(true).save(); +new GroupSave().assignName("ref:affiliation:staff").assignDisplayName("Staff").assignCreateParentStemsIfNotExist(true).save(); +new GroupSave().assignName("ref:affiliation:student").assignDisplayName("Student").assignCreateParentStemsIfNotExist(true).save(); + +group = GroupFinder.findByName(gs, "etc:sysadmingroup", true) +group.getAttributeDelegate().assignAttribute(LoaderLdapUtils.grouperLoaderLdapAttributeDefName()).getAttributeAssign() +attributeAssign = group.getAttributeDelegate().retrieveAssignment(null, LoaderLdapUtils.grouperLoaderLdapAttributeDefName(), false, true) +attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapQuartzCronName(), "0 * * * * ?") +attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapTypeName(), "LDAP_SIMPLE") +attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapFilterName(), "(cn=sysadmingroup)") +attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSearchDnName(), "ou=midpoint,ou=Groups") +attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapServerIdName(), "demo") +attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSourceIdName(), "ldap") +attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectExpressionName(), '${loaderLdapElUtils.convertDnToSpecificValue(subjectId)}') +attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectAttributeName(), "uniqueMember") +attributeAssign.getAttributeValueDelegate().assignValue(LoaderLdapUtils.grouperLoaderLdapSubjectIdTypeName(), "subjectId") + +admins = new GroupSave(gs).assignName("app:wordpress:admins").assignCreateParentStemsIfNotExist(true).save() +editors = new GroupSave(gs).assignName("app:wordpress:editors").assignCreateParentStemsIfNotExist(true).save() +chess = new GroupSave(gs).assignName("app:mailinglist:chess").assignCreateParentStemsIfNotExist(true).save() +idmfans = new GroupSave(gs).assignName("app:mailinglist:idm-fans").assignCreateParentStemsIfNotExist(true).save() +cs = new GroupSave(gs).assignName("app:cs").assignCreateParentStemsIfNotExist(true).save() +volunteers = new GroupSave(gs).assignName("test:volunteers").assignCreateParentStemsIfNotExist(true).save() + + +group = new GroupSave(gs).assignName("etc:affiliationLoader").assignCreateParentStemsIfNotExist(true).save() +group.addType(GroupTypeFinder.find("grouperLoader")) +group.setAttribute("grouperLoaderDbName", "sis") +group.setAttribute("grouperLoaderType", "SQL_GROUP_LIST") +group.setAttribute("grouperLoaderScheduleType", "CRON") +group.setAttribute("grouperLoaderQuartzCron", "0 * * * * ?") +group.setAttribute("grouperLoaderDbName", "sis") +group.setAttribute("grouperLoaderGroupTypes", "addIncludeExclude") +group.setAttribute("grouperLoaderQuery", "SELECT concat('ref:affiliation:',affiliation,'_systemOfRecord') as GROUP_NAME, uid as SUBJECT_IDENTIFIER, 'ldap' as SUBJECT_SOURCE_ID from SIS_AFFILIATIONS") + +group = new GroupSave(gs).assignName("etc:deptLoader").assignCreateParentStemsIfNotExist(true).save() +group.addType(GroupTypeFinder.find("grouperLoader")) +group.setAttribute("grouperLoaderDbName", "sis") +group.setAttribute("grouperLoaderType", "SQL_GROUP_LIST") +group.setAttribute("grouperLoaderScheduleType", "CRON") +group.setAttribute("grouperLoaderQuartzCron", "0 * * * * ?") +group.setAttribute("grouperLoaderDbName", "sis") +group.setAttribute("grouperLoaderQuery", "SELECT concat('ref:dept:',department) as GROUP_NAME, uid as SUBJECT_IDENTIFIER, 'ldap' as SUBJECT_SOURCE_ID from SIS_PERSONS where department is not null") + +group = new GroupSave(gs).assignName("etc:coursesLoader").assignCreateParentStemsIfNotExist(true).save() +group.addType(GroupTypeFinder.find("grouperLoader")) +group.setAttribute("grouperLoaderDbName", "sis") +group.setAttribute("grouperLoaderType", "SQL_GROUP_LIST") +group.setAttribute("grouperLoaderScheduleType", "CRON") +group.setAttribute("grouperLoaderQuartzCron", "0 * * * * ?") +group.setAttribute("grouperLoaderDbName", "sis") +group.setAttribute("grouperLoaderQuery", "SELECT concat('ref:course:',courseId) as GROUP_NAME, uid as SUBJECT_IDENTIFIER, 'ldap' as SUBJECT_SOURCE_ID from SIS_COURSES") + +edu.internet2.middleware.grouper.app.loader.GrouperLoaderType.scheduleLoads() + + + +def addGroups(gs,stem,owner,regexp) { + for (group in stem.childGroups) { + if (!group.name.endsWith('_includes') && + !group.name.endsWith('_excludes') && + !group.name.endsWith('_systemOfRecord') && + !group.name.endsWith('_systemOfRecordAndIncludes') && + (regexp == null || group.extension ==~ regexp)) { + println 'Adding: ' + group + def s = SubjectFinder.findById(group.getId(), 'group', 'g:gsa') + owner.addMember(s, false) + } else { + println 'Ignoring: ' + group + } + } +} + +def cs = GroupFinder.findByName(gs, "app:cs", true) + +gs = GrouperSession.startRootSession() +addGroups(gs, StemFinder.findByName(gs, 'ref:course'), cs, /CS.*/) + +System.out.println("************** initialize.gsh done.") + diff --git a/Workbench/grouper_data/container_files/bootstrap/set-prov.gsh b/Workbench/grouper_data/container_files/bootstrap/set-prov.gsh new file mode 100644 index 0000000..2cc4bbc --- /dev/null +++ b/Workbench/grouper_data/container_files/bootstrap/set-prov.gsh @@ -0,0 +1,37 @@ + +provisioner_name="midPoint"; +GrouperSession grouperSession = GrouperSession.startRootSession(); + +def setProvOnStem(grouperSession,provisioner_name,folder_name) { + AttributeAssign attributeAssignMarker = null; + attributeAssignMarker = new AttributeAssignSave(grouperSession).assignOwnerStemName(folder_name).assignNameOfAttributeDefName("etc:provisioning:provisioningMarker").save(); + new AttributeAssignSave(grouperSession).assignOwnerAttributeAssign(attributeAssignMarker).assignNameOfAttributeDefName("etc:provisioning:provisioningDirectAssign").addValue("true").save(); + new AttributeAssignSave(grouperSession).assignOwnerAttributeAssign(attributeAssignMarker).assignNameOfAttributeDefName("etc:provisioning:provisioningDoProvision").addValue(provisioner_name).save(); + new AttributeAssignSave(grouperSession).assignOwnerAttributeAssign(attributeAssignMarker).assignNameOfAttributeDefName("etc:provisioning:provisioningStemScope").addValue("sub").save(); + new AttributeAssignSave(grouperSession).assignOwnerAttributeAssign(attributeAssignMarker).assignNameOfAttributeDefName("etc:provisioning:provisioningTarget").addValue(provisioner_name).save(); + new AttributeAssignSave(grouperSession).assignOwnerAttributeAssign(attributeAssignMarker).assignNameOfAttributeDefName("etc:provisioning:provisioningMetadataJson").addValue("{\"destination\":\"midpoint\",\"actor\":\"initial load\"}").save(); + +} + +def setProvOnGroup(grouperSession,provisioner_name,group_name) { + AttributeAssign attributeAssignMarker = null; + attributeAssignMarker = new AttributeAssignSave(grouperSession).assignOwnerGroupName(group_name).assignNameOfAttributeDefName("etc:provisioning:provisioningMarker").save(); + new AttributeAssignSave(grouperSession).assignOwnerAttributeAssign(attributeAssignMarker).assignNameOfAttributeDefName("etc:provisioning:provisioningDirectAssign").addValue("true").save(); + new AttributeAssignSave(grouperSession).assignOwnerAttributeAssign(attributeAssignMarker).assignNameOfAttributeDefName("etc:provisioning:provisioningDoProvision").addValue(provisioner_name).save(); + new AttributeAssignSave(grouperSession).assignOwnerAttributeAssign(attributeAssignMarker).assignNameOfAttributeDefName("etc:provisioning:provisioningStemScope").addValue("sub").save(); + new AttributeAssignSave(grouperSession).assignOwnerAttributeAssign(attributeAssignMarker).assignNameOfAttributeDefName("etc:provisioning:provisioningTarget").addValue(provisioner_name).save(); + new AttributeAssignSave(grouperSession).assignOwnerAttributeAssign(attributeAssignMarker).assignNameOfAttributeDefName("etc:provisioning:provisioningMetadataJson").addValue("{\"destination\":\"midpoint\",\"actor\":\"initial load\"}").save(); + +} + +setProvOnStem(grouperSession,provisioner_name,"app") +setProvOnStem(grouperSession,provisioner_name,"test") +setProvOnStem(grouperSession,provisioner_name,"ref:dept") +setProvOnStem(grouperSession,provisioner_name,"ref:course") +setProvOnGroup(grouperSession,provisioner_name,"ref:affiliation:alum") +setProvOnGroup(grouperSession,provisioner_name,"ref:affiliation:community") +setProvOnGroup(grouperSession,provisioner_name,"ref:affiliation:faculty") +setProvOnGroup(grouperSession,provisioner_name,"ref:affiliation:member") +setProvOnGroup(grouperSession,provisioner_name,"ref:affiliation:staff") +setProvOnGroup(grouperSession,provisioner_name,"ref:affiliation:student") + diff --git a/Workbench/grouper_ui/container_files/system/setservername.sh b/Workbench/grouper_ui/container_files/system/setservername.sh new file mode 100755 index 0000000..20b9d05 --- /dev/null +++ b/Workbench/grouper_ui/container_files/system/setservername.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +files="/etc/shibboleth/idp-metadata.xml" + +for file in $files + do + sed -i "s|__CSPHOSTNAME__|$CSPHOSTNAME|g" $file + done + diff --git a/Workbench/idp/container_files/system/setservername.sh b/Workbench/idp/container_files/system/setservername.sh new file mode 100755 index 0000000..783711f --- /dev/null +++ b/Workbench/idp/container_files/system/setservername.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +files="/opt/shibboleth-idp/metadata/idp-metadata.xml /opt/shibboleth-idp/metadata/idpui-sp.xml" + +for file in $files + do + sed -i "s|__CSPHOSTNAME__|$CSPHOSTNAME|g" $file + done + diff --git a/Workbench/idp_ui/container_files/system/setservername.sh b/Workbench/idp_ui/container_files/system/setservername.sh new file mode 100755 index 0000000..664ae62 --- /dev/null +++ b/Workbench/idp_ui/container_files/system/setservername.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +files="/opt/shibui/application.yml /opt/shibui/saml/idp-metadata.xml" + +for file in $files + do + sed -i "s|__CSPHOSTNAME__|$CSPHOSTNAME|g" $file + done + diff --git a/Workbench/midpoint_server/container_files/system/setservername.sh b/Workbench/midpoint_server/container_files/system/setservername.sh new file mode 100755 index 0000000..f1c761f --- /dev/null +++ b/Workbench/midpoint_server/container_files/system/setservername.sh @@ -0,0 +1,10 @@ +#!/bin/bash + +files="/opt/midpoint/var/post-initial-objects/securityPolicy/000-security-policy.xml /etc/shibboleth/idp-metadata.xml" + +for file in $files + do + echo "Editing file $file with value $CSPHOSTNAME" + sed -i "s|__CSPHOSTNAME__|$CSPHOSTNAME|g" $file + done + diff --git a/Workbench/mq/container_files/usr-local-bin/demo-entrypoint.sh b/Workbench/mq/container_files/usr-local-bin/demo-entrypoint.sh new file mode 100755 index 0000000..5c40bc4 --- /dev/null +++ b/Workbench/mq/container_files/usr-local-bin/demo-entrypoint.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +if [ ! -e $RABBITMQ_INIT_DONE_FILE ]; then + /usr/local/bin/initialize-rabbitmq.sh & +else + echo "RabbitMQ was already initialized" +fi +/usr/local/bin/entrypoint.sh "$@" + diff --git a/Workbench/mq/container_files/usr-local-bin/initialize-rabbitmq.sh b/Workbench/mq/container_files/usr-local-bin/initialize-rabbitmq.sh new file mode 100755 index 0000000..e8791c7 --- /dev/null +++ b/Workbench/mq/container_files/usr-local-bin/initialize-rabbitmq.sh @@ -0,0 +1,13 @@ +#!/bin/bash + +set -e + +echo "Executing RabbitMQ initialization" +echo "Waiting for the server to start up..." +rabbitmqctl -t 30 wait $RABBITMQ_PID_FILE +echo "OK, creating sampleQueue..." +rabbitmqadmin declare queue name=sampleQueue +rabbitmqctl change_password guest password +echo "Done" +touch $RABBITMQ_INIT_DONE_FILE + diff --git a/Workbench/webproxy/container_files/mdload/addAttrRel.sh b/Workbench/webproxy/container_files/mdload/addAttrRel.sh new file mode 100755 index 0000000..5b6f7d7 --- /dev/null +++ b/Workbench/webproxy/container_files/mdload/addAttrRel.sh @@ -0,0 +1,21 @@ +#!/bin/sh + +HEADER_NAME="IDPUI_API_KEY" +HEADER_VALUE="00c34830-9028-418c-976c-624a61578c8f" + +#first param is internal ID + +#get the current object and add attribute release info +echo "mdload-attr:Fetching current data for object $1" +curl -k -s --location --request GET "https://localhost/idpui-api/api/EntityDescriptor/$1" \ +--header "${HEADER_NAME}: ${HEADER_VALUE}" | jq '.attributeRelease += ["eduPersonPrincipalName","mail","givenName","surname","uid"]' > json.out + +#update the existing object with the added attribute release data +echo "mdload-attr:Adding attribute release info for object $1" +curl -k -s --location --request PUT "https://localhost/idpui-api/api/EntityDescriptor/$1" \ +--header 'Content-Type: application/json' \ +--header "${HEADER_NAME}: ${HEADER_VALUE}" \ +--data-raw "$(cat json.out)" + +rm json.out + diff --git a/Workbench/webproxy/container_files/mdload/loadMD.sh b/Workbench/webproxy/container_files/mdload/loadMD.sh new file mode 100755 index 0000000..92c05e9 --- /dev/null +++ b/Workbench/webproxy/container_files/mdload/loadMD.sh @@ -0,0 +1,55 @@ +#!/bin/sh + +HEADER_NAME="IDPUI_API_KEY" +HEADER_VALUE="00c34830-9028-418c-976c-624a61578c8f" +DIR=/mdload + +#first param is name of SP +#second param is filename of raw metadata +#third param is sleep time + + +pushd $DIR + +#make sure its up +echo "mdload:Sleeping for $3 seconds to ensure availability" +sleep $3 + +#import raw XML +echo "mdload:Importing metadata for $1..." +curl -k -s --location --request POST "https://localhost/idpui-api/api/EntityDescriptor?spName=$1" \ +--header 'Content-Type: application/xml' \ +--header "${HEADER_NAME}: ${HEADER_VALUE}" \ +--data-raw "$(cat $2)" > $DIR/output.txt + +#get ID, set as enabled +ID=$(cat $DIR/output.txt | jq -r '.id') +echo "mdload:Fetched ID for object: $ID" +sleep 5 + +#ensure ID isn't empty +echo "Setting $1 as enabled..." +if [[ -z "$ID" ]]; then + echo "mdload:\$ID : is EMPTY, terminating" + cat $DIR/output.txt + exit 1 +fi + +#validate ID +if [[ $ID =~ ^\{?[A-F0-9a-f]{8}-[A-F0-9a-f]{4}-[A-F0-9a-f]{4}-[A-F0-9a-f]{4}-[A-F0-9a-f]{12}\}?$ ]]; then + echo "mdload: object ID validated" + curl -k -s --location --request PATCH "https://localhost/idpui-api/api/activate/entityDescriptor/$ID/enable" \ + --header "${HEADER_NAME}: ${HEADER_VALUE}" +else + echo "mdload:Bad response from service, terminating:" + cat $DIR/output.txt + exit 1 +fi + +#add attribute release +$DIR/addAttrRel.sh $ID + +rm $DIR/output.txt + +popd + diff --git a/Workbench/webproxy/container_files/mdload/wait-for-it.sh b/Workbench/webproxy/container_files/mdload/wait-for-it.sh new file mode 100755 index 0000000..d95ecd8 --- /dev/null +++ b/Workbench/webproxy/container_files/mdload/wait-for-it.sh @@ -0,0 +1,183 @@ +#!/usr/bin/env bash +# Use this script to test if a given TCP host/port are available + +WAITFORIT_cmdname=${0##*/} + +echoerr() { if [[ $WAITFORIT_QUIET -ne 1 ]]; then echo "$@" 1>&2; fi } + +usage() +{ + cat << USAGE >&2 +Usage: + $WAITFORIT_cmdname host:port [-s] [-t timeout] [-- command args] + -h HOST | --host=HOST Host or IP under test + -p PORT | --port=PORT TCP port under test + Alternatively, you specify the host and port as host:port + -s | --strict Only execute subcommand if the test succeeds + -q | --quiet Don't output any status messages + -t TIMEOUT | --timeout=TIMEOUT + Timeout in seconds, zero for no timeout + -- COMMAND ARGS Execute command with args after the test finishes +USAGE + exit 1 +} + +wait_for() +{ + if [[ $WAITFORIT_TIMEOUT -gt 0 ]]; then + echoerr "$WAITFORIT_cmdname: waiting $WAITFORIT_TIMEOUT seconds for $WAITFORIT_HOST:$WAITFORIT_PORT" + else + echoerr "$WAITFORIT_cmdname: waiting for $WAITFORIT_HOST:$WAITFORIT_PORT without a timeout" + fi + WAITFORIT_start_ts=$(date +%s) + while : + do + if [[ $WAITFORIT_ISBUSY -eq 1 ]]; then + nc -z $WAITFORIT_HOST $WAITFORIT_PORT + WAITFORIT_result=$? + else + (echo -n > /dev/tcp/$WAITFORIT_HOST/$WAITFORIT_PORT) >/dev/null 2>&1 + WAITFORIT_result=$? + fi + if [[ $WAITFORIT_result -eq 0 ]]; then + WAITFORIT_end_ts=$(date +%s) + echoerr "$WAITFORIT_cmdname: $WAITFORIT_HOST:$WAITFORIT_PORT is available after $((WAITFORIT_end_ts - WAITFORIT_start_ts)) seconds" + break + fi + sleep 1 + done + return $WAITFORIT_result +} + +wait_for_wrapper() +{ + # In order to support SIGINT during timeout: http://unix.stackexchange.com/a/57692 + if [[ $WAITFORIT_QUIET -eq 1 ]]; then + timeout $WAITFORIT_BUSYTIMEFLAG $WAITFORIT_TIMEOUT $0 --quiet --child --host=$WAITFORIT_HOST --port=$WAITFORIT_PORT --timeout=$WAITFORIT_TIMEOUT & + else + timeout $WAITFORIT_BUSYTIMEFLAG $WAITFORIT_TIMEOUT $0 --child --host=$WAITFORIT_HOST --port=$WAITFORIT_PORT --timeout=$WAITFORIT_TIMEOUT & + fi + WAITFORIT_PID=$! + trap "kill -INT -$WAITFORIT_PID" INT + wait $WAITFORIT_PID + WAITFORIT_RESULT=$? + if [[ $WAITFORIT_RESULT -ne 0 ]]; then + echoerr "$WAITFORIT_cmdname: timeout occurred after waiting $WAITFORIT_TIMEOUT seconds for $WAITFORIT_HOST:$WAITFORIT_PORT" + fi + return $WAITFORIT_RESULT +} + +# process arguments +while [[ $# -gt 0 ]] +do + case "$1" in + *:* ) + WAITFORIT_hostport=(${1//:/ }) + WAITFORIT_HOST=${WAITFORIT_hostport[0]} + WAITFORIT_PORT=${WAITFORIT_hostport[1]} + shift 1 + ;; + --child) + WAITFORIT_CHILD=1 + shift 1 + ;; + -q | --quiet) + WAITFORIT_QUIET=1 + shift 1 + ;; + -s | --strict) + WAITFORIT_STRICT=1 + shift 1 + ;; + -h) + WAITFORIT_HOST="$2" + if [[ $WAITFORIT_HOST == "" ]]; then break; fi + shift 2 + ;; + --host=*) + WAITFORIT_HOST="${1#*=}" + shift 1 + ;; + -p) + WAITFORIT_PORT="$2" + if [[ $WAITFORIT_PORT == "" ]]; then break; fi + shift 2 + ;; + --port=*) + WAITFORIT_PORT="${1#*=}" + shift 1 + ;; + -t) + WAITFORIT_TIMEOUT="$2" + if [[ $WAITFORIT_TIMEOUT == "" ]]; then break; fi + shift 2 + ;; + --timeout=*) + WAITFORIT_TIMEOUT="${1#*=}" + shift 1 + ;; + --) + shift + WAITFORIT_CLI=("$@") + break + ;; + --help) + usage + ;; + *) + echoerr "Unknown argument: $1" + usage + ;; + esac +done + +if [[ "$WAITFORIT_HOST" == "" || "$WAITFORIT_PORT" == "" ]]; then + echoerr "Error: you need to provide a host and port to test." + usage +fi + +WAITFORIT_TIMEOUT=${WAITFORIT_TIMEOUT:-15} +WAITFORIT_STRICT=${WAITFORIT_STRICT:-0} +WAITFORIT_CHILD=${WAITFORIT_CHILD:-0} +WAITFORIT_QUIET=${WAITFORIT_QUIET:-0} + +# Check to see if timeout is from busybox? +WAITFORIT_TIMEOUT_PATH=$(type -p timeout) +WAITFORIT_TIMEOUT_PATH=$(realpath $WAITFORIT_TIMEOUT_PATH 2>/dev/null || readlink -f $WAITFORIT_TIMEOUT_PATH) + +WAITFORIT_BUSYTIMEFLAG="" +if [[ $WAITFORIT_TIMEOUT_PATH =~ "busybox" ]]; then + WAITFORIT_ISBUSY=1 + # Check if busybox timeout uses -t flag + # (recent Alpine versions don't support -t anymore) + if timeout &>/dev/stdout | grep -q -e '-t '; then + WAITFORIT_BUSYTIMEFLAG="-t" + fi +else + WAITFORIT_ISBUSY=0 +fi + +if [[ $WAITFORIT_CHILD -gt 0 ]]; then + wait_for + WAITFORIT_RESULT=$? + exit $WAITFORIT_RESULT +else + if [[ $WAITFORIT_TIMEOUT -gt 0 ]]; then + wait_for_wrapper + WAITFORIT_RESULT=$? + else + wait_for + WAITFORIT_RESULT=$? + fi +fi + +if [[ $WAITFORIT_CLI != "" ]]; then + if [[ $WAITFORIT_RESULT -ne 0 && $WAITFORIT_STRICT -eq 1 ]]; then + echoerr "$WAITFORIT_cmdname: strict mode, refusing to execute subprocess" + exit $WAITFORIT_RESULT + fi + exec "${WAITFORIT_CLI[@]}" +else + exit $WAITFORIT_RESULT +fi + diff --git a/Workbench/webproxy/container_files/system/setservername.sh b/Workbench/webproxy/container_files/system/setservername.sh new file mode 100755 index 0000000..a48ec6b --- /dev/null +++ b/Workbench/webproxy/container_files/system/setservername.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +files="/etc/shibboleth/idp-metadata.xml /var/www/html/index.html /mdload/grouper-sp.xml /mdload/midpoint-sp.xml /mdload/comanage-sp.xml /mdload/proxy-sp.xml /mdload/wordpress-sp.xml" + +for file in $files + do + sed -i "s|__CSPHOSTNAME__|$CSPHOSTNAME|g" $file + done + diff --git a/Workbench/webproxy/container_files/system/startWithMDLoad.sh b/Workbench/webproxy/container_files/system/startWithMDLoad.sh new file mode 100755 index 0000000..5edff2a --- /dev/null +++ b/Workbench/webproxy/container_files/system/startWithMDLoad.sh @@ -0,0 +1,13 @@ +#!/bin/sh +/usr/local/bin/startup.sh & + +#wait for IdPUI's API, then load metadata into it +pushd /mdload +./wait-for-it.sh -t 0 idp_ui_api:8443 -- ./loadMD.sh GrouperSP /mdload/grouper-sp.xml 90 && \ + ./loadMD.sh midPointSP /mdload/midpoint-sp.xml 0 && \ + ./loadMD.sh ProxySP /mdload/proxy-sp.xml 0 && \ + ./loadMD.sh WordPressSP /mdload/wordpress-sp.xml 0 && \ + ./loadMD.sh COmanageSP /mdload/comanage-sp.xml 0 +popd +wait + diff --git a/Workbench/wordpress_server/container_files/system/setservername.sh b/Workbench/wordpress_server/container_files/system/setservername.sh new file mode 100755 index 0000000..f1aeb31 --- /dev/null +++ b/Workbench/wordpress_server/container_files/system/setservername.sh @@ -0,0 +1,9 @@ +#!/bin/bash + +files="/etc/shibboleth/idp-metadata.xml /root/sed.sh /root/config-shibb.sql" + +for file in $files + do + sed -i "s|__CSPHOSTNAME__|$CSPHOSTNAME|g" $file + done + diff --git a/Workbench/wordpress_server/container_files/wordpress/sed.sh b/Workbench/wordpress_server/container_files/wordpress/sed.sh new file mode 100755 index 0000000..2047a44 --- /dev/null +++ b/Workbench/wordpress_server/container_files/wordpress/sed.sh @@ -0,0 +1,15 @@ +#!/bin/bash +#echo "define('JWT_AUTH_SECRET_KEY', 'your-top-secret-key');" >> /var/www/html/wp-config.php; +#echo "define('JWT_AUTH_CORS_ENABLE', true);" >> /var/www/html/wp-config.php +#define( 'WP_HOME', 'https://localhost:12443' ); +#define( 'WP_SITEURL', 'https://localhost:12443' ); +mkdir /var/www/html/wordpress +mv /var/www/html/* /var/www/html/wordpress/ +mv /var/www/html/.htaccess /var/www/html/wordpress/ +sed -i "s/define( 'DB_COLLATE', '' );/define( 'DB_COLLATE', '' );\ndefine('JWT_AUTH_SECRET_KEY', 'your-top-secret-key');\ndefine('JWT_AUTH_CORS_ENABLE', true);\ndefine( 'WP_HOME', 'https:\/\/__CSPHOSTNAME__\/wordpress\/' );\ndefine( 'WP_SITEURL', 'https:\/\/__CSPHOSTNAME__\/wordpress\/' );\n/" /var/www/html/wordpress/wp-config.php +sed -i "s/RewriteBase \//RewriteBase \/wordpress\/\nRewriteRule \^wp-json\/\(\.\*\) \/wordpress\/?rest_route=\/\$1 \[L\]\n/" /var/www/html/wordpress/.htaccess +sed -i 's/RewriteRule \. \/index\.php \[L\]/RewriteCond %{REQUEST_URI} !\\\.sso\/\nRewriteRule \. \/index\.php \[L\]/' /var/www/html/wordpress/.htaccess +sed -i 's/AllowOverride None/AllowOverride All/' /etc/httpd/conf/httpd.conf +sed -i 's/IncludeOptional conf.d\/\*.conf/IncludeOptional conf.d\/\*.conf\nHttpProtocolOptions Unsafe/' /etc/httpd/conf/httpd.conf +mysql -h wordpress_data -u wordpress --password=54y6RxN7GfC7aes3 wordpress < /root/config-shibb.sql +