Merge branch 'main' of https://github.internet2.edu/internet2/InCommo…

…nTAP-Examples into wordpress-shibb
internet2 · Dec 22, 2020 · abed95e · abed95e
2 parents be9cae0 + 8c0a73e
commit abed95e
Show file tree

Hide file tree

Showing 29 changed files with 762 additions and 124 deletions.
diff --git a/Workbench/comanage_data/container_files/seed-data/comanage-bootstrap.sql b/Workbench/comanage_data/container_files/seed-data/comanage-bootstrap.sql
diff --git a/Workbench/configs-and-secrets/comanage/shibboleth/shibboleth2.xml b/Workbench/configs-and-secrets/comanage/shibboleth/shibboleth2.xml
@@ -47,7 +47,7 @@
             <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/>
 
             <!-- Status reporting service. -->
-            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1 172.16.0.0/12"/>
+            <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1 172.16.0.0/12 192.168.0.0/16"/>
 
             <!-- Session diagnostic service. -->
             <Handler type="Session" Location="/Session" showAttributeValues="true"/>

diff --git a/Workbench/directory/Dockerfile b/Workbench/directory/Dockerfile
@@ -4,7 +4,7 @@ LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>"
 
 RUN yum install -y epel-release \
     && yum update -y \
-    && yum install -y 389-ds-base phpMyAdmin phpldapadmin mod_ssl \
+    && yum install -y 389-ds-base phpMyAdmin phpldapadmin mod_ssl net-tools \
     && yum clean all \
     && rm -rf /var/cache/yum
 

diff --git a/Workbench/directory/container_files/etc/phpldapadmin/config.php b/Workbench/directory/container_files/etc/phpldapadmin/config.php
@@ -329,7 +329,7 @@
    the directory for users (ie, if your LDAP server does not allow anonymous
    binds. */
 // $servers->setValue('login','bind_id','');
-$servers->setValue('login','bind_id','cn=admin,dc=internet2,dc=edu');
+$servers->setValue('login','bind_id','cn=Directory Manager');
 
 /* Your LDAP password. If you specified an empty bind_id above, this MUST also
    be blank. */

diff --git a/Workbench/directory/container_files/seed-data/data.ldif b/Workbench/directory/container_files/seed-data/data.ldif
@@ -62,6 +62,7 @@ objectClass: person
 objectClass: top
 cn: Andy Guest
 sn: Aguest
+mail: andyaguestcspuser@workbench.incommon.org
 givenName: Andy
 userPassword: password
 description: A guest user
diff --git a/Workbench/docker-compose.yml b/Workbench/docker-compose.yml
@@ -19,7 +19,7 @@ services:
         aliases:
          - grouper-daemon
     healthcheck:
-      test: curl -s grouper_data:3306
+      test: gsh
       interval: 30s
       timeout: 30s
       retries: 3
@@ -60,6 +60,11 @@ services:
          - grouper-ui
     ports:
      - 8443:443
+    healthcheck:
+      test: curl -k -f https://127.0.0.1/grouper/grouperUi/ || exit 1
+      interval: 30s
+      timeout: 30s
+      retries: 3
     secrets:
      - g_database_password.txt
      - source: grouper.hibernate.properties
@@ -112,6 +117,11 @@ services:
          - grouper-ws
     ports:
      - 9443:443
+    healthcheck:
+      test: curl -k -f https://127.0.0.1/grouper-ws/status?diagnosticType=trivial || exit 1
+      interval: 30s
+      timeout: 30s
+      retries: 3
     secrets:
      - g_database_password.txt
      - source: grouper.hibernate.properties
@@ -147,7 +157,7 @@ services:
     ports:
      - 3306:3306
     healthcheck:
-      test: curl -s grouper_data:3306
+      test: curl -s 127.0.0.1:3306
       interval: 30s
       timeout: 30s
       retries: 3
@@ -160,6 +170,11 @@ services:
      - 389:389
     networks:
      - net
+    healthcheck:
+      test: netstat -an | grep :389 | grep LISTEN
+      interval: 30s
+      timeout: 30s
+      retries: 3
     volumes:
      - ldap:/var/lib/dirsrv
 
@@ -169,6 +184,11 @@ services:
      - 13306:3306
     networks:
      - net
+    healthcheck:
+      test: curl -s 127.0.0.1:3306
+      interval: 30s
+      timeout: 30s
+      retries: 3
     volumes:
      - source_mysql:/var/lib/mysql
      - source_data:/var/lib/mysqlmounted
@@ -183,6 +203,11 @@ services:
       net:
         aliases:
          - comanage-data
+    healthcheck:
+      test: curl -s 127.0.0.1:3306
+      interval: 30s
+      timeout: 30s
+      retries: 3
     volumes:
      - comanage_mysql:/var/lib/mysql
      - comanage_data:/var/lib/mysqlmounted
@@ -197,6 +222,11 @@ services:
       net:
         aliases:
          - midpoint-data
+    healthcheck:
+      test: curl -s 127.0.0.1:3306
+      interval: 30s
+      timeout: 30s
+      retries: 3
     volumes:
      - midpoint_mysql:/var/lib/mysql
      - midpoint_data:/var/lib/mysqlmounted
@@ -260,6 +290,7 @@ services:
         - CSPHOSTNAME
     depends_on:
      - directory
+     - idp_ui
     environment:
      - JETTY_MAX_HEAP=64m
      - JETTY_BROWSER_SSL_KEYSTORE_PASSWORD=password
@@ -278,17 +309,22 @@ services:
       args:
         - CSPHOSTNAME
     depends_on:
-     - idp
+     - idp_ui_data
     networks:
      - net
     ports:
      - 8080:8080
+    healthcheck:
+      test: curl -k -f https://127.0.0.1:8443/idpui/login || exit 1
+      interval: 30s
+      timeout: 30s
+      retries: 3
     volumes:
      - generated-metadata:/generated-metadata
      - generated-config:/generated-config
 
   idp_ui_data:
-    image: tier/mariadb:latest
+    image: tier/mariadb:mariadb10.2
     ports:
      - 33366:3306
     environment:
@@ -300,6 +336,11 @@ services:
       net:
         aliases:
          - idpui-data
+    healthcheck:
+      test: curl -s 127.0.0.1:3306
+      interval: 30s
+      timeout: 30s
+      retries: 3
     volumes:
     - mariadb-data:/var/lib/mysql
 
@@ -312,6 +353,11 @@ services:
      - net
     ports:
      - 15672:15672
+    healthcheck:
+      test: curl -s 127.0.0.1:15672 > /dev/null
+      interval: 30s
+      timeout: 30s
+      retries: 3
     volumes:
      - mq:/var/lib/rabbitmq
 
@@ -365,6 +411,11 @@ services:
     build: ./wordpress_data/
     networks:
       - net
+    healthcheck:
+      test: curl -s 127.0.0.1:3306 ; res=$$? ; if [[ $$res -ne 1 ]]; then exit 1; fi
+      interval: 30s
+      timeout: 30s
+      retries: 3
     volumes:
       - wordpress_data:/var/lib/mysql
     ports:
@@ -375,6 +426,8 @@ services:
       context: ./comanage/
       args:
         - CSPHOSTNAME
+    depends_on:
+     - comanage_data
     environment:
      - ENV
      - USERTOKEN
@@ -386,6 +439,11 @@ services:
      - net
     ports:
      - 11443:443
+    healthcheck:
+      test: curl -kf https://127.0.0.1/registry/ || exit 1
+      interval: 30s
+      timeout: 30s
+      retries: 3
     volumes:
      - type: bind
        source: ./configs-and-secrets/comanage/shibboleth/shibboleth2.xml
@@ -405,6 +463,13 @@ services:
       context: ./comanage_cron/
       args:
         - CSPHOSTNAME
+    depends_on:
+     - comanage
+    healthcheck:
+      test: curl -s comanage_data:3306
+      interval: 30s
+      timeout: 30s
+      retries: 3
     environment:
      - ENV
      - USERTOKEN

diff --git a/Workbench/grouper_data/Dockerfile b/Workbench/grouper_data/Dockerfile
@@ -35,4 +35,5 @@ RUN (mysqld_safe & ) \
 
 EXPOSE 3306
 
+
 CMD mysqld_safe
diff --git a/Workbench/idp/Dockerfile b/Workbench/idp/Dockerfile
@@ -9,6 +9,8 @@ COPY shibboleth-idp/ /opt/shibboleth-idp/
 
 RUN mkdir -p /opt/shibboleth-idp/metadata/generated && mkdir -p /opt/shibboleth-idp/conf/generated
 
+COPY container_files/idp/shibui-metadata-providers.xml /opt/shibboleth-idp/conf/generated/
+
 COPY container_files/system/setservername.sh /usr/local/bin/
 RUN chmod 755 /usr/local/bin/setservername.sh
 

diff --git a/Workbench/idp/container_files/idp/shibui-metadata-providers.xml b/Workbench/idp/container_files/idp/shibui-metadata-providers.xml
@@ -0,0 +1,11 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider"
+    xmlns="urn:mace:shibboleth:2.0:metadata"
+    xmlns:resource="urn:mace:shibboleth:2.0:resource"
+    xmlns:security="urn:mace:shibboleth:2.0:security"
+    xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata"
+    xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="urn:mace:shibboleth:2.0:metadata http://shibboleth.net/schema/idp/shibboleth-metadata.xsd
+                        urn:mace:shibboleth:2.0:resource http://shibboleth.net/schema/idp/shibboleth-resource.xsd 
+                        urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd
+                        urn:oasis:names:tc:SAML:2.0:metadata http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd" />
diff --git a/Workbench/idp/shibboleth-idp/conf/attribute-filter.xml b/Workbench/idp/shibboleth-idp/conf/attribute-filter.xml
@@ -37,4 +37,70 @@
 		<AttributeRule attributeID="mail" permitAny="true" />
     </AttributeFilterPolicy>
 
+	<!-- Supports annotated metadata supplied by the Shibb UI -->
+	<AttributeFilterPolicy id="Per-Attribute-singleValued">
+        <PolicyRequirementRule xsi:type="ANY"/>
+        <AttributeRule attributeID="eduPersonPrincipalName">
+            <PermitValueRule xsi:type="EntityAttributeExactMatch"
+                             attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
+                             attributeValue="eduPersonPrincipalName" />
+        </AttributeRule>
+        <AttributeRule attributeID="uid">
+            <PermitValueRule xsi:type="EntityAttributeExactMatch"
+                             attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
+                             attributeValue="uid" />
+        </AttributeRule>
+        <AttributeRule attributeID="mail">
+            <PermitValueRule xsi:type="EntityAttributeExactMatch"
+                             attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
+                             attributeValue="mail" />
+        </AttributeRule>
+        <AttributeRule attributeID="surname">
+            <PermitValueRule xsi:type="EntityAttributeExactMatch"
+                             attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
+                             attributeValue="surname" />
+        </AttributeRule>
+        <AttributeRule attributeID="givenName">
+            <PermitValueRule xsi:type="EntityAttributeExactMatch"
+                             attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
+                             attributeValue="givenName" />
+        </AttributeRule>
+        <AttributeRule attributeID="eduPersonAffiliation">
+            <PermitValueRule xsi:type="EntityAttributeExactMatch"
+                             attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
+                             attributeValue="eduPersonAffiliation" />
+        </AttributeRule>
+        <AttributeRule attributeID="eduPersonScopedAffiliation">
+            <PermitValueRule xsi:type="EntityAttributeExactMatch"
+                             attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
+                             attributeValue="eduPersonScopedAffiliation" />
+        </AttributeRule>
+        <AttributeRule attributeID="eduPersonPrimaryAffiliation">
+            <PermitValueRule xsi:type="EntityAttributeExactMatch"
+                             attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
+                             attributeValue="eduPersonPrimaryAffiliation" />
+        </AttributeRule>
+        <AttributeRule attributeID="eduPersonEntitlement">
+            <PermitValueRule xsi:type="EntityAttributeExactMatch"
+                             attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
+                             attributeValue="eduPersonEntitlement" />
+        </AttributeRule>
+        <AttributeRule attributeID="eduPersonAssurance">
+            <PermitValueRule xsi:type="EntityAttributeExactMatch"
+                             attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
+                             attributeValue="eduPersonAssurance" />
+        </AttributeRule>
+        <AttributeRule attributeID="eduPersonUniqueId">
+            <PermitValueRule xsi:type="EntityAttributeExactMatch"
+                             attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
+                             attributeValue="eduPersonUniqueId" />
+        </AttributeRule>
+        <AttributeRule attributeID="employeeNumber">
+            <PermitValueRule xsi:type="EntityAttributeExactMatch"
+                             attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
+                             attributeValue="employeeNumber" />
+        </AttributeRule>
+    </AttributeFilterPolicy>
+
+
 </AttributeFilterPolicyGroup>
diff --git a/Workbench/idp/shibboleth-idp/conf/metadata-providers.xml b/Workbench/idp/shibboleth-idp/conf/metadata-providers.xml
@@ -1,6 +1,5 @@
 <?xml version="1.0" encoding="UTF-8"?>
-<!-- This file is an EXAMPLE metadata configuration file. -->
-<MetadataProvider id="ShibbolethMetadata" xsi:type="ChainingMetadataProvider"
+<MetadataProvider id="IdPShibbolethMetadata" xsi:type="ChainingMetadataProvider"
     xmlns="urn:mace:shibboleth:2.0:metadata"
     xmlns:resource="urn:mace:shibboleth:2.0:resource"
     xmlns:security="urn:mace:shibboleth:2.0:security"
@@ -31,6 +30,14 @@
     <MetadataProvider id="WordpressSP"  xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/wordpress-sp.xml"/>
     <MetadataProvider id="ProxySP"  xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/proxy-sp.xml"/>
 	<MetadataProvider id="ShibUISP"  xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/idpui-sp.xml"/>
+
+	<!-- For metadata generated by the Shib UI -->
+	<MetadataProvider id="LocalDynamic"
+                      xsi:type="LocalDynamicMetadataProvider"
+                      sourceDirectory="%{idp.home}/metadata/generated"
+                      minCacheDuration="PT10S"
+                      maxCacheDuration="PT30S"/>
+
 
     <!-- Example HTTP metadata provider.  Use this if you want to download
          the metadata from a remote service.