From d26f94ffd9ba664b32b8da5d5eb68f000af4bf1e Mon Sep 17 00:00:00 2001
From: root <root@ip-172-31-29-107.us-west-2.compute.internal>
Date: Fri, 1 Oct 2021 15:29:32 +0000
Subject: [PATCH] IdPUI integration

---
 Workbench/docker-compose.yml                  |  22 ++-
 Workbench/idp/Dockerfile                      |   5 +-
 .../container_files/system/setservername.sh   |   2 +-
 .../shibboleth-idp/conf/attribute-filter.xml  |   4 +-
 .../conf/metadata-providers.xml               |   4 +-
 Workbench/idp_ui_api/Dockerfile               |  18 ++
 .../container_files/idp_ui/application.yml    |  36 ++++
 .../container_files/idp_ui/shibui-test.p12    | Bin 0 -> 2533 bytes
 .../container_files/idp_ui/users.txt          |   1 +
 .../container_files/system/setservername.sh   |   8 +
 Workbench/scripts/gethealth.py                |   2 +-
 Workbench/webproxy/Dockerfile                 |  16 +-
 .../webproxy/container_files/httpd/index.html |   4 +-
 .../webproxy/container_files/httpd/proxy.conf |   7 +
 .../webproxy/container_files/httpd/ssl.conf   |   7 +
 .../container_files/mdload/addAttrRel.sh      |  21 ++
 .../container_files/mdload}/comanage-sp.xml   |   0
 .../container_files/mdload}/grouper-sp.xml    |   0
 .../webproxy/container_files/mdload/loadMD.sh |  54 ++++++
 .../container_files/mdload}/midpoint-sp.xml   |   0
 .../container_files/mdload}/proxy-sp.xml      |   0
 .../container_files/mdload/wait-for-it.sh     | 182 ++++++++++++++++++
 .../container_files/mdload}/wordpress-sp.xml  |   0
 .../container_files/system/setservername.sh   |   4 +-
 .../container_files/system/startWithMDLoad.sh |  12 ++
 25 files changed, 394 insertions(+), 15 deletions(-)
 create mode 100644 Workbench/idp_ui_api/Dockerfile
 create mode 100644 Workbench/idp_ui_api/container_files/idp_ui/application.yml
 create mode 100644 Workbench/idp_ui_api/container_files/idp_ui/shibui-test.p12
 create mode 100644 Workbench/idp_ui_api/container_files/idp_ui/users.txt
 create mode 100644 Workbench/idp_ui_api/container_files/system/setservername.sh
 create mode 100755 Workbench/webproxy/container_files/mdload/addAttrRel.sh
 rename Workbench/{idp/shibboleth-idp/metadata => webproxy/container_files/mdload}/comanage-sp.xml (100%)
 rename Workbench/{idp/shibboleth-idp/metadata => webproxy/container_files/mdload}/grouper-sp.xml (100%)
 create mode 100755 Workbench/webproxy/container_files/mdload/loadMD.sh
 rename Workbench/{idp/shibboleth-idp/metadata => webproxy/container_files/mdload}/midpoint-sp.xml (100%)
 rename Workbench/{idp/shibboleth-idp/metadata => webproxy/container_files/mdload}/proxy-sp.xml (100%)
 create mode 100755 Workbench/webproxy/container_files/mdload/wait-for-it.sh
 rename Workbench/{idp/shibboleth-idp/metadata => webproxy/container_files/mdload}/wordpress-sp.xml (100%)
 create mode 100755 Workbench/webproxy/container_files/system/startWithMDLoad.sh

diff --git a/Workbench/docker-compose.yml b/Workbench/docker-compose.yml
index 75f0300..09623d0 100644
--- a/Workbench/docker-compose.yml
+++ b/Workbench/docker-compose.yml
@@ -301,7 +301,6 @@ services:
         - CSPHOSTNAME
     depends_on:
      - directory
-     - idp_ui
     environment:
      - JETTY_MAX_HEAP=64m
      - JETTY_BROWSER_SSL_KEYSTORE_PASSWORD=password
@@ -334,6 +333,25 @@ services:
      - generated-metadata:/generated-metadata
      - generated-config:/generated-config
 
+  idp_ui_api:
+    build:
+      context: ./idp_ui_api/
+      args:
+        - CSPHOSTNAME
+    depends_on:
+     - idp_ui_data
+     - idp_ui
+    networks:
+     - net
+    healthcheck:
+      test: curl -k -s https://127.0.0.1:8443/idpui-api
+      interval: 30s
+      timeout: 30s
+      retries: 3
+    volumes:
+     - generated-metadata:/generated-metadata
+     - generated-config:/generated-config
+
   idp_ui_data:
     image: tier/mariadb:mariadb10.2
     ports:
@@ -380,6 +398,8 @@ services:
         - CSPHOSTNAME
     networks:
      - net
+    depends_on:
+      - idp_ui_api
     ports:
      - 443:443
      
diff --git a/Workbench/idp/Dockerfile b/Workbench/idp/Dockerfile
index 4309126..fa3fac4 100644
--- a/Workbench/idp/Dockerfile
+++ b/Workbench/idp/Dockerfile
@@ -6,9 +6,6 @@ ARG CSPHOSTNAME=localhost
 ENV CSPHOSTNAME=$CSPHOSTNAME
 
 COPY shibboleth-idp/ /opt/shibboleth-idp/
-#rather than copying metadata files included in above folder and including in config, instead upload these files to the IdP UI
-#  API info here: https://documenter.getpostman.com/view/446764/TzzHmCkn
-
 
 RUN mkdir -p /opt/shibboleth-idp/metadata/generated && mkdir -p /opt/shibboleth-idp/conf/generated
 
@@ -19,3 +16,5 @@ RUN chmod 755 /usr/local/bin/setservername.sh
 
 #set hostname
 RUN /usr/local/bin/setservername.sh
+
+
diff --git a/Workbench/idp/container_files/system/setservername.sh b/Workbench/idp/container_files/system/setservername.sh
index f25a82f..b3d3e0f 100644
--- a/Workbench/idp/container_files/system/setservername.sh
+++ b/Workbench/idp/container_files/system/setservername.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-files="/opt/shibboleth-idp/metadata/idp-metadata.xml /opt/shibboleth-idp/metadata/idpui-sp.xml /opt/shibboleth-idp/metadata/grouper-sp.xml /opt/shibboleth-idp/metadata/proxy-sp.xml /opt/shibboleth-idp/metadata/comanage-sp.xml /opt/shibboleth-idp/metadata/midpoint-sp.xml /opt/shibboleth-idp/metadata/wordpress-sp.xml"
+files="/opt/shibboleth-idp/metadata/idp-metadata.xml /opt/shibboleth-idp/metadata/idpui-sp.xml"
 
 for file in $files
   do
diff --git a/Workbench/idp/shibboleth-idp/conf/attribute-filter.xml b/Workbench/idp/shibboleth-idp/conf/attribute-filter.xml
index d3a9b34..77f7052 100644
--- a/Workbench/idp/shibboleth-idp/conf/attribute-filter.xml
+++ b/Workbench/idp/shibboleth-idp/conf/attribute-filter.xml
@@ -95,7 +95,7 @@
 
 
     <!-- workbench SPs -->
-    <AttributeFilterPolicy id="grouper">
+<!--    <AttributeFilterPolicy id="grouper">
         <PolicyRequirementRule xsi:type="Requester" value="https://grouperdemo/shibboleth" />
         <AttributeRule attributeID="eduPersonPrincipalName" permitAny="true" />
         <AttributeRule attributeID="uid" permitAny="true" />
@@ -126,7 +126,7 @@
         <AttributeRule attributeID="eduPersonPrincipalName" permitAny="true" />
         <AttributeRule attributeID="uid" permitAny="true" />
         <AttributeRule attributeID="mail" permitAny="true" />
-    </AttributeFilterPolicy>
+    </AttributeFilterPolicy> -->
 
     <AttributeFilterPolicy id="shibui">
         <PolicyRequirementRule xsi:type="Requester" value="https://sp.example.org/shibui" />
diff --git a/Workbench/idp/shibboleth-idp/conf/metadata-providers.xml b/Workbench/idp/shibboleth-idp/conf/metadata-providers.xml
index 4126c67..852fc0d 100644
--- a/Workbench/idp/shibboleth-idp/conf/metadata-providers.xml
+++ b/Workbench/idp/shibboleth-idp/conf/metadata-providers.xml
@@ -33,11 +33,11 @@
     -->
     
     <!-- Workbench SPs --> 
-    <MetadataProvider id="GrouperSP" xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/grouper-sp.xml"/>
+    <!-- <MetadataProvider id="GrouperSP" xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/grouper-sp.xml"/>
     <MetadataProvider id="MidpointSP" xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/midpoint-sp.xml"/>
     <MetadataProvider id="ComanageSP" xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/comanage-sp.xml"/>
     <MetadataProvider id="WordpressSP" xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/wordpress-sp.xml"/>
-    <MetadataProvider id="ProxySP" xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/proxy-sp.xml"/>
+    <MetadataProvider id="ProxySP" xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/proxy-sp.xml"/> -->
     <MetadataProvider id="ShibUISP" xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/idpui-sp.xml"/>
 
     <!-- For metadata generated by the Shib UI -->
diff --git a/Workbench/idp_ui_api/Dockerfile b/Workbench/idp_ui_api/Dockerfile
new file mode 100644
index 0000000..83f88d3
--- /dev/null
+++ b/Workbench/idp_ui_api/Dockerfile
@@ -0,0 +1,18 @@
+FROM i2incommon/shib-idp-ui:1.9.2
+
+ARG CSPHOSTNAME=localhost
+ENV CSPHOSTNAME=$CSPHOSTNAME
+
+COPY container_files/idp_ui/application.yml /opt/shibui/
+COPY container_files/idp_ui/shibui-test.p12 /opt/shibui/
+COPY container_files/idp_ui/users.txt /opt/shibui/
+
+#RUN mkdir -p /opt/shibui/saml/
+##COPY container_files/idp_ui/samlkeystore.jks /opt/shibui/saml/
+#COPY container_files/idp_ui/idp-metadata.xml /opt/shibui/saml/
+
+#COPY container_files/system/setservername.sh /usr/local/bin/
+#RUN chmod 755 /usr/local/bin/setservername.sh
+#RUN /usr/local/bin/setservername.sh
+  
+EXPOSE 8443
diff --git a/Workbench/idp_ui_api/container_files/idp_ui/application.yml b/Workbench/idp_ui_api/container_files/idp_ui/application.yml
new file mode 100644
index 0000000..de6eb0b
--- /dev/null
+++ b/Workbench/idp_ui_api/container_files/idp_ui/application.yml
@@ -0,0 +1,36 @@
+server:
+  context-path: /idpui-api
+  servlet:
+    context-path: /idpui-api
+  tomcat:
+    redirect-context-root: false
+  ssl:
+    enabled: true
+    key-store: /opt/shibui/shibui-test.p12
+    key-store-password: testing
+    key-store-type: pkcs12
+    key-password: testing
+  port: 8443
+shibui:
+  default-password: "{noop}letmein7"
+  metadataProviders:
+    target: "file:/generated-config/shibui-metadata-providers.xml"
+  metadata-dir: "/generated-metadata"
+  beacon-enabled: true
+  pac4j-enabled: true
+  pac4j:
+    type-of-auth: HEADER
+    authentication-header: IDPUI_API_KEY
+spring:
+  datasource:
+    username: shibui
+    password: secret
+    url: jdbc:mariadb://idpui-data:3306/shibui
+    driverClassName: org.mariadb.jdbc.Driver
+    platform: mariadb
+  jpa:
+    database-platform: org.hibernate.dialect.MariaDBDialect
+    hibernate:
+      ddl-auto: update
+
+     
diff --git a/Workbench/idp_ui_api/container_files/idp_ui/shibui-test.p12 b/Workbench/idp_ui_api/container_files/idp_ui/shibui-test.p12
new file mode 100644
index 0000000000000000000000000000000000000000..7efb561aa1d2574832b5e1f9dbfc78a3f91e6bc6
GIT binary patch
literal 2533
zcmY+^cQhM{9tZFwk`R})_Eu`v42`X>y*tbpm)bLJRn4LzloEAYY8NSjprv))sutJY
zJ1t@~Hr2-7O+5FU_uhT)kKg&7^ZlOl{quvs!sbCh1_TyX4u#1inkF8y0vUmLEG!3%
zg}peBpCPbdlYc5G9t&1KkB}fB;QYz|(*O~IQ09LxumGV5IGE{5Ofm$-MGpmmm;e|o
z7yz?2Ld9mA&~g<$>@J4Psg3yCdh22}gE(4$G-sT8jhDuWmEr5U)`{c4X<$g$*oiR#
zxz!DjKW@O@8Rr4S3lr}vE7^4}WlZ{%DsOrzCRtkgc9gSUp|p=~&Z#=0lm?HF^^3JN
z53vl-Jqnd%O-`zSjyxdVH^7@W=d8c49RWX0!w;84y%Yu}ycHa|Ghn8*GO~SqDo&-8
z@)w4gA2#n#u{yl))QyD{ddu9l_vBLZWM>)^_T^7yj5v-YnuxFTlu6lccyQy)8lF5S
zT{bT|l!D<pX$u{#W4GOc)A|$XpW${0FaHpAGn<;PBzQ4LX9h-G9C_l(w_5V*)1Y<P
z1pKTmk8Sfbd#9RPemp9FG5)7yn);nRdTxGlTamXOzt2|4l>4_6DV|YC`|h<19~UI-
zoZsIyn!eXfc`zQ(T&j)p?^U*FCkW<ONFblgS>@Lm8~BFw%=V>4Sw0Ti5XCr{q-mqH
z^i(AMS(#b^+6p3wa6w*Iztbb>m$0B#)Z}U_fyx}ih}F2oZcL7YlM0lZ@w}<pT<lx^
z@{h}|b}Mr%k?TS^C6lX<%nFDF!N__{a8EyV3Mnlx5UP%l#|g4&nn+6#?6pa8-Dp}-
z)-)se(olKYp9+bxo7z;t?69WwhTju4)+;|TtWzW8A{~Q)!U4Cbmq4o0vXkA0A(~9?
zG+Mj-=vU#(m36orq>VUsBm^*hA^N^u(=~yd7K|+J8&HkOc@s}xn$Cq@NDo}#H@Cis
z>i|6XrFAD-#rk2HCf!)HNj6mvLWUG5+!@~@JdD84qoN+xlnxPA>o*)<uSva=DUcCE
z?=@a~n23!ugUdfFMdwIyEa;GA6uc6z`30FbZwo%SKhi=+3TKs8M7(-N39~$=Zb6>*
zHg0SSaKF`h=cIgVAZpD){4!!=xK8Wj=Gyz&Mzu00P6I=ig?91KP?3$g8k~h@1XT;1
z&pWe|yjelym48%bl%Q&5Y^Qf|+05rJvfSspsV^(gx|LGm@~kfUzXg?=XAL7}!fs31
zdwJezn-S7Gru(xc-pi?0ULCK9(-amG-@G%sXvXm_j%SQy<TLHmA@?yREiy4WZHEIh
zN65BKZ*ujGuo6Blq)@zUHH?k(!xfV%vqfcnHD)nv5tStuvX59Iw`0%FGJ^(LUn=!T
z%o5<7s78O$q~!*hNY-iy7-~I`*76!mVQ3<=270YgYpu#_9}w>oO<Xy$c8m~EDAFM3
zud1!+l1Brrn56()q|i_maIz57#rxCTuyUVQu;h7EWjdvFG`d=N|1rjUkJ5RUBtLbS
zDp10b;Ag<iV!Y)I^b*sVF|OoV@O4sA+lr=jv)M*jAg~a<{{aJ!g(!ou5QXzt=KLg~
zzx;;}W+3R?8R|JO-~LY(hQC!YtX_zRu^XBHtqK?m?(tM!q*))FN<<$%0q7B@DI0LU
zQMs;|B~W_a%y(U!*f@GINw^6&p0m7$5{qP?2zrDT$QgyJ-#r#zudlllK2;z#(iUgg
zYzFJ>)EpwEvwSj7ZDv7}&SGl%aQwcV)v3e8`B$FAvttR@J0gNM1b{$sLv!*=xLjsk
z-qttWgK4NzNXovseRmT8uTyuTZjz8Ir?PWRX^D1Y*658#VBDMAih)He2_v=U-GU~A
z)iXnSoRSaa%A6(0E>%PO3nIG@j~)#k5w`+w2m_$eg}oM2FD{M#5fAHi7Xx2=`n6@F
zE!741(&+2i5@tV8Hm*4QfRDR*@yleOi)*Ix+(is@-Tz}TjkZ!#H=_;6yXVJi*QZ3)
zmNH`xhRoT&&$|qaj#z2Xsd-cJtV7Q<Qd&E;aBa}kR49At<GQTbTC#Jcj}h!>bLXL1
z`%+Mk4)eS;kDD|nU8-&Qktk=7OMkscHMQ8v2^CWZBYyin&Q`N$cZ<&^sIL}uaJ+&n
z)RZJPGJguG4?Fz)vW#Fm;t(5S6+1xk)tYw1kW6PNf9lR7eh`H8bi-C|uchPO4Hp_k
zx-crC)4e_EpPLAA6Gm~Mwh!}gc6w#db**-XE4fuHZo?=xOPY=Lw}lM9GptVw@p@IN
z)Jzc&5sX6H)qL4St0o*aO#J0mJaeLkwxhAT_7&u;Wu-IQqQ~F%cAVO6%!53MC6Dxf
zxA9YLQd6^>%`zBxaH8J(QT3UHBwj}Sb)fRlL_H+xOEK?_$?)f2&S)%0%B?1~hQxA>
z@Ad(LeY+xZ^%aSYLa{U4d>xcIQIvk_SY}(>4ajf4uX$B2fs7q>7!5>oPcCEvjjN&-
zBM}T`oCVicnid52L-V1<dFy45Tat|H({o7rdHh>J0?gUM6#Pnq;`?4vJp&cWM!<Y;
zifTRk1ZN12C!!`$XQd{p5R#e49AVGp=4nzh>TVXg8s>1!b4BOt_TJDBrnd|3J-?!K
zbqiKt=J!5mfLQhC6|OH6wqFd#s;JV!s-1@zc?>xweW&yqXQ<pGM6vjC&kPwmGxF)L
zo-LSl-;>pt%Ns07t3rrdiu}X?(28|+l%Y5lprjsrsBmkYO)j<%+z}pdYM%D2bS>d2
z${<XgxVO*RvMqF~w_W>&b`rlh?cTjBMy_Jkq1e~Q(vy5}R%Dy4aGwSij$ov-7fCmb
z42tLK@bF0avC`9c!OeNXqLKQZN{;M2{&2l(Z~kC!yS}-Fp0cVx<cF>*Trj?*w6LFY
zvHyg8Owb7ge5M!Mn!@5f82k~OdH-oJ;nme$@<}woIz`)5^3Mmo4%v=AX5R3Kx=0iu
zcYRq>ixV~0t*m+_Q6-Z$ES>N(u0%Jvy;#CN#XULz`83L9&$#QuMiN&S$19h6QVD+9
zQQ%$Z>*SnLx3{Py7Y)JqCmxfQUl{qg3(My=@t>Xpe(H%A7a`ZcR8EmVi<+mlC*!`q
z!<pNA`?u1zIhR+pdattX2|>hmeQGTG45@;<4(Uj#AM-3fxt>(%%!iIK8eEOuP`F2b
zQt1}l-D7c)A<GN3TffBcrRXNt-J5>p4xvsTd$6POA`&`-JXRjD(K?!xF}xO~T@iBA
zy}$baes<8OB!Lk7uZ}P-C2lZh7h~rDKNE?&ZHBQp(XEb7cnxnyC?P}<FepS8&H&<v
o0KlB)M(f{M4|9f8Lr1my(YRHs$3F>RrVx?$IDCeX{ohLd3q54Gr2qf`

literal 0
HcmV?d00001

diff --git a/Workbench/idp_ui_api/container_files/idp_ui/users.txt b/Workbench/idp_ui_api/container_files/idp_ui/users.txt
new file mode 100644
index 0000000..5487297
--- /dev/null
+++ b/Workbench/idp_ui_api/container_files/idp_ui/users.txt
@@ -0,0 +1 @@
+00c34830-9028-418c-976c-624a61578c8f,{bcrypt}$2a$10$V1jeTIc0b2u7Y3yU.LqkXOPRVTBFc7SW07QaJR4KrBAmWGgTcO9H.,first,last,ROLE_ADMIN,user1@example.org
diff --git a/Workbench/idp_ui_api/container_files/system/setservername.sh b/Workbench/idp_ui_api/container_files/system/setservername.sh
new file mode 100644
index 0000000..5804e25
--- /dev/null
+++ b/Workbench/idp_ui_api/container_files/system/setservername.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+files="/opt/shibui/application.yml"
+
+for file in $files
+  do
+    sed -i "s|__CSPHOSTNAME__|$CSPHOSTNAME|g" $file
+  done
diff --git a/Workbench/scripts/gethealth.py b/Workbench/scripts/gethealth.py
index 5aa5301..2a9970c 100755
--- a/Workbench/scripts/gethealth.py
+++ b/Workbench/scripts/gethealth.py
@@ -1,6 +1,6 @@
 #!/bin/python
 
-containers = ["idp", "idp_ui", "idp_ui_data", "grouper_ui", "grouper_ws", "grouper_daemon", "grouper_data", "comanage", "comanage-cron", "comanage_data", "midpoint_server", "midpoint_data", "webproxy", "wordpress_server", "wordpress_data", "mq", "directory", "sources"]
+containers = ["idp", "idp_ui", "idp_ui_data", "idp_ui_api", "grouper_ui", "grouper_ws", "grouper_daemon", "grouper_data", "comanage", "comanage-cron", "comanage_data", "midpoint_server", "midpoint_data", "webproxy", "wordpress_server", "wordpress_data", "mq", "directory", "sources"]
 
 print("<table><tr><th style='text-align:left;width:150px'>Container</th><th style='text-align:left'>Health Status</th></tr>")
 for container in containers:
diff --git a/Workbench/webproxy/Dockerfile b/Workbench/webproxy/Dockerfile
index be0e425..7e94499 100644
--- a/Workbench/webproxy/Dockerfile
+++ b/Workbench/webproxy/Dockerfile
@@ -3,7 +3,7 @@ FROM tier/shibboleth_sp:latest
 ARG CSPHOSTNAME=localhost
 ENV CSPHOSTNAME=$CSPHOSTNAME
 
-RUN yum -y install cronie php composer php-bcmath
+RUN yum -y install cronie php composer php-bcmath jq
 RUN composer require php-amqplib/php-amqplib
 RUN composer install
 RUN mkdir -p /var/www/html/refresh
@@ -28,6 +28,17 @@ RUN chmod 755 /usr/local/bin/setservername.sh
 
 RUN mkdir -p /signalreload
 
+RUN mkdir -p /mdload
+COPY container_files/system/startWithMDLoad.sh /usr/local/bin/
+COPY container_files/mdload/ /mdload/
+RUN chmod 755 /usr/local/bin/startWithMDLoad.sh && chmod 755 /mdload/*.sh
+
+#install updated curl (for --data-raw)
+RUN rpm -Uvh http://www.city-fan.org/ftp/contrib/yum-repo/city-fan.org-release-2-1.rhel7.noarch.rpm
+RUN yum-config-manager --enable city-fan.org
+RUN yum update curl -y
+
+
 # fix httpd logging for ssl logs
 RUN sed -i 's/TransferLog logs\/ssl_access_log/TransferLog \/tmp\/logpipe/g' /etc/httpd/conf.d/ssl.conf \
     && sed -i 's/ErrorLog logs\/ssl_error_log/ErrorLog \/tmp\/logpipe/g' /etc/httpd/conf.d/ssl.conf
@@ -37,3 +48,6 @@ RUN /usr/local/bin/setservername.sh
 
 HEALTHCHECK --interval=1m --timeout=30s \
   CMD curl -k -f -u csp:workbench https://127.0.0.1/Shibboleth.sso/Status || exit 1
+
+CMD ["/usr/local/bin/startWithMDLoad.sh"]
+
diff --git a/Workbench/webproxy/container_files/httpd/index.html b/Workbench/webproxy/container_files/httpd/index.html
index 3ae1c56..988074a 100644
--- a/Workbench/webproxy/container_files/httpd/index.html
+++ b/Workbench/webproxy/container_files/httpd/index.html
@@ -8,9 +8,9 @@ <h3>Welcome to the InCommon TAP Workbench!</h3>
 <br /><br />
 The system contains the following TAP components (click the links to access each component in its own tab):
 <ul>
-<li><a href="https://__CSPHOSTNAME__/grouper" target="TAP-WB-GROUPER">Grouper (2.5.37)</a></li>
+<li><a href="https://__CSPHOSTNAME__/grouper" target="TAP-WB-GROUPER">Grouper (2.6.0)</a></li>
 <li><a href="https://__CSPHOSTNAME__/midpoint" target="TAP-WB-MIDPOINT">midPoint (4.3.2)</a></li>
-<li><a href="https://__CSPHOSTNAME__/registry" target="TAP-WB-COMANAGE">COmanage Registry (3.3.2)</a></li>
+<li><a href="https://__CSPHOSTNAME__/registry" target="TAP-WB-COMANAGE">COmanage Registry (3.3.4)</a></li>
 <li><a href="https://__CSPHOSTNAME__/idpui/" target="TAP-WB-IDPUI">Shibboleth IdP UI (1.9.2)</a></li>
 </ul>
 <br />
diff --git a/Workbench/webproxy/container_files/httpd/proxy.conf b/Workbench/webproxy/container_files/httpd/proxy.conf
index a1bc99b..f42b717 100644
--- a/Workbench/webproxy/container_files/httpd/proxy.conf
+++ b/Workbench/webproxy/container_files/httpd/proxy.conf
@@ -21,6 +21,10 @@ AllowEncodedSlashes NoDecode
   RequestHeader unset Authorization
 </Location>
 
+<Location /idpui-api>
+  RequestHeader unset Authorization
+</Location>
+
 ProxyPass /midpoint https://midpoint-server/midpoint
 ProxyPassReverse /midpoint https://midpoint-server/midpoint
 ProxyPass /MPSSO https://midpoint-server/MPSSO
@@ -40,6 +44,9 @@ ProxyPassReverse /idp https://idp/idp
 ProxyPass /idpui https://idp_ui:8443/idpui
 ProxyPassReverse /idpui https://idp_ui:8443/idpui
 
+ProxyPass /idpui-api https://idp_ui_api:8443/idpui-api
+ProxyPassReverse /idpui-api https://idp_ui_api:8443/idpui-api
+
 ProxyPass /rabbit http://mq:15672/ nocanon
 ProxyPassReverse /rabbit http://mq:15672/
 ProxyPass /js http://mq:15672/js
diff --git a/Workbench/webproxy/container_files/httpd/ssl.conf b/Workbench/webproxy/container_files/httpd/ssl.conf
index a5b9877..9283ea5 100644
--- a/Workbench/webproxy/container_files/httpd/ssl.conf
+++ b/Workbench/webproxy/container_files/httpd/ssl.conf
@@ -164,6 +164,13 @@ SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
     Satisfy any
 </Location>
 
+<Location "/idpui-api/">
+    Order deny,allow
+    Allow from all
+    Satisfy any
+</Location>
+
+
 <Location />
   AuthType Basic
   AuthName "Restricted CSP content"
diff --git a/Workbench/webproxy/container_files/mdload/addAttrRel.sh b/Workbench/webproxy/container_files/mdload/addAttrRel.sh
new file mode 100755
index 0000000..5b6f7d7
--- /dev/null
+++ b/Workbench/webproxy/container_files/mdload/addAttrRel.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+HEADER_NAME="IDPUI_API_KEY"
+HEADER_VALUE="00c34830-9028-418c-976c-624a61578c8f"
+
+#first param is internal ID
+
+#get the current object and add attribute release info
+echo "mdload-attr:Fetching current data for object $1"
+curl -k -s --location --request GET "https://localhost/idpui-api/api/EntityDescriptor/$1" \
+--header "${HEADER_NAME}: ${HEADER_VALUE}" | jq '.attributeRelease += ["eduPersonPrincipalName","mail","givenName","surname","uid"]' > json.out
+
+#update the existing object with the added attribute release data
+echo "mdload-attr:Adding attribute release info for object $1"
+curl -k -s --location --request PUT "https://localhost/idpui-api/api/EntityDescriptor/$1" \
+--header 'Content-Type: application/json' \
+--header "${HEADER_NAME}: ${HEADER_VALUE}" \
+--data-raw "$(cat json.out)"
+
+rm json.out
+
diff --git a/Workbench/idp/shibboleth-idp/metadata/comanage-sp.xml b/Workbench/webproxy/container_files/mdload/comanage-sp.xml
similarity index 100%
rename from Workbench/idp/shibboleth-idp/metadata/comanage-sp.xml
rename to Workbench/webproxy/container_files/mdload/comanage-sp.xml
diff --git a/Workbench/idp/shibboleth-idp/metadata/grouper-sp.xml b/Workbench/webproxy/container_files/mdload/grouper-sp.xml
similarity index 100%
rename from Workbench/idp/shibboleth-idp/metadata/grouper-sp.xml
rename to Workbench/webproxy/container_files/mdload/grouper-sp.xml
diff --git a/Workbench/webproxy/container_files/mdload/loadMD.sh b/Workbench/webproxy/container_files/mdload/loadMD.sh
new file mode 100755
index 0000000..75c7db6
--- /dev/null
+++ b/Workbench/webproxy/container_files/mdload/loadMD.sh
@@ -0,0 +1,54 @@
+#!/bin/sh
+
+HEADER_NAME="IDPUI_API_KEY"
+HEADER_VALUE="00c34830-9028-418c-976c-624a61578c8f"
+DIR=/mdload
+
+#first param is name of SP
+#second param is filename of raw metadata
+#third param is sleep time
+
+
+pushd $DIR
+
+#make sure its up
+echo "mdload:Sleeping for $3 seconds to ensure availability"
+sleep $3
+
+#import raw XML
+echo "mdload:Importing metadata for $1..."
+curl -k -s --location --request POST "https://localhost/idpui-api/api/EntityDescriptor?spName=$1" \
+--header 'Content-Type: application/xml' \
+--header "${HEADER_NAME}: ${HEADER_VALUE}" \
+--data-raw "$(cat $2)" > $DIR/output.txt
+
+#get ID, set as enabled
+ID=$(cat $DIR/output.txt | jq -r '.id')
+echo "mdload:Fetched ID for object: $ID"
+sleep 5
+
+#ensure ID isn't empty
+echo "Setting $1 as enabled..."
+if [[ -z "$ID" ]]; then
+ echo "mdload:\$ID : is EMPTY, terminating"
+ cat $DIR/output.txt
+ exit 1
+fi
+
+#validate ID
+if [[ $ID =~ ^\{?[A-F0-9a-f]{8}-[A-F0-9a-f]{4}-[A-F0-9a-f]{4}-[A-F0-9a-f]{4}-[A-F0-9a-f]{12}\}?$ ]]; then
+  echo "mdload: object ID validated"
+  curl -k -s --location --request PATCH "https://localhost/idpui-api/api/activate/entityDescriptor/$ID/enable" \
+     --header "${HEADER_NAME}: ${HEADER_VALUE}"
+else
+  echo "mdload:Bad response from service, terminating:"
+  cat $DIR/output.txt
+  exit 1
+fi
+
+#add attribute release
+$DIR/addAttrRel.sh $ID
+
+rm $DIR/output.txt
+
+popd
diff --git a/Workbench/idp/shibboleth-idp/metadata/midpoint-sp.xml b/Workbench/webproxy/container_files/mdload/midpoint-sp.xml
similarity index 100%
rename from Workbench/idp/shibboleth-idp/metadata/midpoint-sp.xml
rename to Workbench/webproxy/container_files/mdload/midpoint-sp.xml
diff --git a/Workbench/idp/shibboleth-idp/metadata/proxy-sp.xml b/Workbench/webproxy/container_files/mdload/proxy-sp.xml
similarity index 100%
rename from Workbench/idp/shibboleth-idp/metadata/proxy-sp.xml
rename to Workbench/webproxy/container_files/mdload/proxy-sp.xml
diff --git a/Workbench/webproxy/container_files/mdload/wait-for-it.sh b/Workbench/webproxy/container_files/mdload/wait-for-it.sh
new file mode 100755
index 0000000..d990e0d
--- /dev/null
+++ b/Workbench/webproxy/container_files/mdload/wait-for-it.sh
@@ -0,0 +1,182 @@
+#!/usr/bin/env bash
+# Use this script to test if a given TCP host/port are available
+
+WAITFORIT_cmdname=${0##*/}
+
+echoerr() { if [[ $WAITFORIT_QUIET -ne 1 ]]; then echo "$@" 1>&2; fi }
+
+usage()
+{
+    cat << USAGE >&2
+Usage:
+    $WAITFORIT_cmdname host:port [-s] [-t timeout] [-- command args]
+    -h HOST | --host=HOST       Host or IP under test
+    -p PORT | --port=PORT       TCP port under test
+                                Alternatively, you specify the host and port as host:port
+    -s | --strict               Only execute subcommand if the test succeeds
+    -q | --quiet                Don't output any status messages
+    -t TIMEOUT | --timeout=TIMEOUT
+                                Timeout in seconds, zero for no timeout
+    -- COMMAND ARGS             Execute command with args after the test finishes
+USAGE
+    exit 1
+}
+
+wait_for()
+{
+    if [[ $WAITFORIT_TIMEOUT -gt 0 ]]; then
+        echoerr "$WAITFORIT_cmdname: waiting $WAITFORIT_TIMEOUT seconds for $WAITFORIT_HOST:$WAITFORIT_PORT"
+    else
+        echoerr "$WAITFORIT_cmdname: waiting for $WAITFORIT_HOST:$WAITFORIT_PORT without a timeout"
+    fi
+    WAITFORIT_start_ts=$(date +%s)
+    while :
+    do
+        if [[ $WAITFORIT_ISBUSY -eq 1 ]]; then
+            nc -z $WAITFORIT_HOST $WAITFORIT_PORT
+            WAITFORIT_result=$?
+        else
+            (echo -n > /dev/tcp/$WAITFORIT_HOST/$WAITFORIT_PORT) >/dev/null 2>&1
+            WAITFORIT_result=$?
+        fi
+        if [[ $WAITFORIT_result -eq 0 ]]; then
+            WAITFORIT_end_ts=$(date +%s)
+            echoerr "$WAITFORIT_cmdname: $WAITFORIT_HOST:$WAITFORIT_PORT is available after $((WAITFORIT_end_ts - WAITFORIT_start_ts)) seconds"
+            break
+        fi
+        sleep 1
+    done
+    return $WAITFORIT_result
+}
+
+wait_for_wrapper()
+{
+    # In order to support SIGINT during timeout: http://unix.stackexchange.com/a/57692
+    if [[ $WAITFORIT_QUIET -eq 1 ]]; then
+        timeout $WAITFORIT_BUSYTIMEFLAG $WAITFORIT_TIMEOUT $0 --quiet --child --host=$WAITFORIT_HOST --port=$WAITFORIT_PORT --timeout=$WAITFORIT_TIMEOUT &
+    else
+        timeout $WAITFORIT_BUSYTIMEFLAG $WAITFORIT_TIMEOUT $0 --child --host=$WAITFORIT_HOST --port=$WAITFORIT_PORT --timeout=$WAITFORIT_TIMEOUT &
+    fi
+    WAITFORIT_PID=$!
+    trap "kill -INT -$WAITFORIT_PID" INT
+    wait $WAITFORIT_PID
+    WAITFORIT_RESULT=$?
+    if [[ $WAITFORIT_RESULT -ne 0 ]]; then
+        echoerr "$WAITFORIT_cmdname: timeout occurred after waiting $WAITFORIT_TIMEOUT seconds for $WAITFORIT_HOST:$WAITFORIT_PORT"
+    fi
+    return $WAITFORIT_RESULT
+}
+
+# process arguments
+while [[ $# -gt 0 ]]
+do
+    case "$1" in
+        *:* )
+        WAITFORIT_hostport=(${1//:/ })
+        WAITFORIT_HOST=${WAITFORIT_hostport[0]}
+        WAITFORIT_PORT=${WAITFORIT_hostport[1]}
+        shift 1
+        ;;
+        --child)
+        WAITFORIT_CHILD=1
+        shift 1
+        ;;
+        -q | --quiet)
+        WAITFORIT_QUIET=1
+        shift 1
+        ;;
+        -s | --strict)
+        WAITFORIT_STRICT=1
+        shift 1
+        ;;
+        -h)
+        WAITFORIT_HOST="$2"
+        if [[ $WAITFORIT_HOST == "" ]]; then break; fi
+        shift 2
+        ;;
+        --host=*)
+        WAITFORIT_HOST="${1#*=}"
+        shift 1
+        ;;
+        -p)
+        WAITFORIT_PORT="$2"
+        if [[ $WAITFORIT_PORT == "" ]]; then break; fi
+        shift 2
+        ;;
+        --port=*)
+        WAITFORIT_PORT="${1#*=}"
+        shift 1
+        ;;
+        -t)
+        WAITFORIT_TIMEOUT="$2"
+        if [[ $WAITFORIT_TIMEOUT == "" ]]; then break; fi
+        shift 2
+        ;;
+        --timeout=*)
+        WAITFORIT_TIMEOUT="${1#*=}"
+        shift 1
+        ;;
+        --)
+        shift
+        WAITFORIT_CLI=("$@")
+        break
+        ;;
+        --help)
+        usage
+        ;;
+        *)
+        echoerr "Unknown argument: $1"
+        usage
+        ;;
+    esac
+done
+
+if [[ "$WAITFORIT_HOST" == "" || "$WAITFORIT_PORT" == "" ]]; then
+    echoerr "Error: you need to provide a host and port to test."
+    usage
+fi
+
+WAITFORIT_TIMEOUT=${WAITFORIT_TIMEOUT:-15}
+WAITFORIT_STRICT=${WAITFORIT_STRICT:-0}
+WAITFORIT_CHILD=${WAITFORIT_CHILD:-0}
+WAITFORIT_QUIET=${WAITFORIT_QUIET:-0}
+
+# Check to see if timeout is from busybox?
+WAITFORIT_TIMEOUT_PATH=$(type -p timeout)
+WAITFORIT_TIMEOUT_PATH=$(realpath $WAITFORIT_TIMEOUT_PATH 2>/dev/null || readlink -f $WAITFORIT_TIMEOUT_PATH)
+
+WAITFORIT_BUSYTIMEFLAG=""
+if [[ $WAITFORIT_TIMEOUT_PATH =~ "busybox" ]]; then
+    WAITFORIT_ISBUSY=1
+    # Check if busybox timeout uses -t flag
+    # (recent Alpine versions don't support -t anymore)
+    if timeout &>/dev/stdout | grep -q -e '-t '; then
+        WAITFORIT_BUSYTIMEFLAG="-t"
+    fi
+else
+    WAITFORIT_ISBUSY=0
+fi
+
+if [[ $WAITFORIT_CHILD -gt 0 ]]; then
+    wait_for
+    WAITFORIT_RESULT=$?
+    exit $WAITFORIT_RESULT
+else
+    if [[ $WAITFORIT_TIMEOUT -gt 0 ]]; then
+        wait_for_wrapper
+        WAITFORIT_RESULT=$?
+    else
+        wait_for
+        WAITFORIT_RESULT=$?
+    fi
+fi
+
+if [[ $WAITFORIT_CLI != "" ]]; then
+    if [[ $WAITFORIT_RESULT -ne 0 && $WAITFORIT_STRICT -eq 1 ]]; then
+        echoerr "$WAITFORIT_cmdname: strict mode, refusing to execute subprocess"
+        exit $WAITFORIT_RESULT
+    fi
+    exec "${WAITFORIT_CLI[@]}"
+else
+    exit $WAITFORIT_RESULT
+fi
diff --git a/Workbench/idp/shibboleth-idp/metadata/wordpress-sp.xml b/Workbench/webproxy/container_files/mdload/wordpress-sp.xml
similarity index 100%
rename from Workbench/idp/shibboleth-idp/metadata/wordpress-sp.xml
rename to Workbench/webproxy/container_files/mdload/wordpress-sp.xml
diff --git a/Workbench/webproxy/container_files/system/setservername.sh b/Workbench/webproxy/container_files/system/setservername.sh
index 00294cd..8d6e049 100644
--- a/Workbench/webproxy/container_files/system/setservername.sh
+++ b/Workbench/webproxy/container_files/system/setservername.sh
@@ -1,8 +1,8 @@
 #!/bin/bash
 
-files="/etc/shibboleth/idp-metadata.xml /var/www/html/index.html"
+files="/etc/shibboleth/idp-metadata.xml /var/www/html/index.html /mdload/grouper-sp.xml /mdload/midpoint-sp.xml /mdload/comanage-sp.xml /mdload/proxy-sp.xml /mdload/wordpress-sp.xml"
 
 for file in $files
   do
     sed -i "s|__CSPHOSTNAME__|$CSPHOSTNAME|g" $file
-  done
\ No newline at end of file
+  done
diff --git a/Workbench/webproxy/container_files/system/startWithMDLoad.sh b/Workbench/webproxy/container_files/system/startWithMDLoad.sh
new file mode 100755
index 0000000..e08d294
--- /dev/null
+++ b/Workbench/webproxy/container_files/system/startWithMDLoad.sh
@@ -0,0 +1,12 @@
+#!/bin/sh
+/usr/local/bin/startup.sh &
+
+#wait for IdPUI's API, then load metadata into it
+pushd /mdload
+./wait-for-it.sh -t 0 idp_ui_api:8443 -- ./loadMD.sh GrouperSP /mdload/grouper-sp.xml 40 && \
+                                         ./loadMD.sh midPointSP /mdload/midpoint-sp.xml 0 && \
+                                         ./loadMD.sh ProxySP /mdload/proxy-sp.xml 0 && \
+                                         ./loadMD.sh WordPressSP /mdload/wordpress-sp.xml 0 && \
+                                         ./loadMD.sh COmanageSP /mdload/comanage-sp.xml 0
+popd
+wait