IdP UI integration, add container healthchecks

internet2 · Dec 16, 2020 · da36c1a · da36c1a
1 parent 73bb7fc
commit da36c1a
Show file tree

Hide file tree

Showing 11 changed files with 299 additions and 7 deletions.
diff --git a/Workbench/comanage_data/Dockerfile b/Workbench/comanage_data/Dockerfile
@@ -7,3 +7,6 @@ ENV MYSQL_USER registry_user
 ENV MYSQL_PASSWORD 123321
 ENV MYSQL_DATADIR /var/lib/mysqlmounted
 ENV AFTER_FIRST_TIME_SQL /seed-data/comanage-bootstrap.sql
+
+
+
diff --git a/Workbench/docker-compose.yml b/Workbench/docker-compose.yml
@@ -19,7 +19,7 @@ services:
         aliases:
          - grouper-daemon
     healthcheck:
-      test: curl -s grouper_data:3306
+      test: gsh
       interval: 30s
       timeout: 30s
       retries: 3
@@ -60,6 +60,11 @@ services:
          - grouper-ui
     ports:
      - 8443:443
+    healthcheck:
+      test: curl -k -f https://127.0.0.1/grouper/grouperUi/ || exit 1
+      interval: 30s
+      timeout: 30s
+      retries: 3
     secrets:
      - g_database_password.txt
      - source: grouper.hibernate.properties
@@ -112,6 +117,11 @@ services:
          - grouper-ws
     ports:
      - 9443:443
+    healthcheck:
+      test: curl -k -f https://127.0.0.1/grouper-ws/status?diagnosticType=trivial || exit 1
+      interval: 30s
+      timeout: 30s
+      retries: 3
     secrets:
      - g_database_password.txt
      - source: grouper.hibernate.properties
@@ -147,7 +157,7 @@ services:
     ports:
      - 3306:3306
     healthcheck:
-      test: curl -s grouper_data:3306
+      test: curl -s 127.0.0.1:3306
       interval: 30s
       timeout: 30s
       retries: 3
@@ -160,6 +170,11 @@ services:
      - 389:389
     networks:
      - net
+    healthcheck:
+      test: netstat -an | grep :389 | grep LISTEN
+      interval: 30s
+      timeout: 30s
+      retries: 3
     volumes:
      - ldap:/var/lib/dirsrv
 
@@ -169,6 +184,11 @@ services:
      - 13306:3306
     networks:
      - net
+    healthcheck:
+      test: curl -s 127.0.0.1:3306
+      interval: 30s
+      timeout: 30s
+      retries: 3
     volumes:
      - source_mysql:/var/lib/mysql
      - source_data:/var/lib/mysqlmounted
@@ -183,6 +203,11 @@ services:
       net:
         aliases:
          - comanage-data
+    healthcheck:
+      test: curl -s 127.0.0.1:3306
+      interval: 30s
+      timeout: 30s
+      retries: 3
     volumes:
      - comanage_mysql:/var/lib/mysql
      - comanage_data:/var/lib/mysqlmounted
@@ -197,6 +222,11 @@ services:
       net:
         aliases:
          - midpoint-data
+    healthcheck:
+      test: curl -s 127.0.0.1:3306
+      interval: 30s
+      timeout: 30s
+      retries: 3
     volumes:
      - midpoint_mysql:/var/lib/mysql
      - midpoint_data:/var/lib/mysqlmounted
@@ -260,6 +290,7 @@ services:
         - CSPHOSTNAME
     depends_on:
      - directory
+     - idp_ui
     environment:
      - JETTY_MAX_HEAP=64m
      - JETTY_BROWSER_SSL_KEYSTORE_PASSWORD=password
@@ -278,11 +309,16 @@ services:
       args:
         - CSPHOSTNAME
     depends_on:
-     - idp
+     - idp_ui_data
     networks:
      - net
     ports:
      - 8080:8080
+    healthcheck:
+      test: curl -k -f https://127.0.0.1:8443/idpui/login || exit 1
+      interval: 30s
+      timeout: 30s
+      retries: 3
     volumes:
      - generated-metadata:/generated-metadata
      - generated-config:/generated-config
@@ -300,6 +336,11 @@ services:
       net:
         aliases:
          - idpui-data
+    healthcheck:
+      test: curl -s 127.0.0.1:3306
+      interval: 30s
+      timeout: 30s
+      retries: 3
     volumes:
     - mariadb-data:/var/lib/mysql
 
@@ -312,6 +353,11 @@ services:
      - net
     ports:
      - 15672:15672
+    healthcheck:
+      test: curl -s 127.0.0.1:15672
+      interval: 30s
+      timeout: 30s
+      retries: 3
     volumes:
      - mq:/var/lib/rabbitmq
 
@@ -360,6 +406,11 @@ services:
     build: ./wordpress_data/
     networks:
       - net
+    healthcheck:
+      test: curl -s 127.0.0.1:3306
+      interval: 30s
+      timeout: 30s
+      retries: 3
     volumes:
       - wordpress_data:/var/lib/mysql
     ports:
@@ -381,6 +432,11 @@ services:
      - net
     ports:
      - 11443:443
+    healthcheck:
+      test: curl -kf https://127.0.0.1/registry/ || exit 1
+      interval: 30s
+      timeout: 30s
+      retries: 3
     volumes:
      - type: bind
        source: ./configs-and-secrets/comanage/shibboleth/shibboleth2.xml
@@ -400,6 +456,11 @@ services:
       context: ./comanage_cron/
       args:
         - CSPHOSTNAME
+    healthcheck:
+      test: curl -s comanage_data:3306
+      interval: 30s
+      timeout: 30s
+      retries: 3
     environment:
      - ENV
      - USERTOKEN

diff --git a/Workbench/grouper_data/Dockerfile b/Workbench/grouper_data/Dockerfile
@@ -35,4 +35,5 @@ RUN (mysqld_safe & ) \
 
 EXPOSE 3306
 
+
 CMD mysqld_safe
diff --git a/Workbench/idp/Dockerfile b/Workbench/idp/Dockerfile
@@ -9,6 +9,8 @@ COPY shibboleth-idp/ /opt/shibboleth-idp/
 
 RUN mkdir -p /opt/shibboleth-idp/metadata/generated && mkdir -p /opt/shibboleth-idp/conf/generated
 
+COPY container_files/idp/shibui-metadata-providers.xml /opt/shibboleth-idp/conf/generated/
+
 COPY container_files/system/setservername.sh /usr/local/bin/
 RUN chmod 755 /usr/local/bin/setservername.sh
 

diff --git a/Workbench/idp/container_files/idp/shibui-metadata-providers.xml b/Workbench/idp/container_files/idp/shibui-metadata-providers.xml
@@ -0,0 +1,6 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<MetadataProvider xmlns="urn:mace:shibboleth:2.0:metadata"
+                	xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+                	id="ShibbolethMetadata"
+                	xsi:schemaLocation="urn:mace:shibboleth:2.0:metadata http://shibboleth.net/schema/idp/shibboleth-metadata.xsd urn:mace:shibboleth:2.0:resource http://shibboleth.net/schema/idp/shibboleth-resource.xsd urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd urn:oasis:names:tc:SAML:2.0:metadata http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd urn:oasis:names:tc:SAML:2.0:assertion http://docs.oasis-open.org/security/saml/v2.0/saml-schema-assertion-2.0.xsd"
+                	xsi:type="ChainingMetadataProvider"/>
diff --git a/Workbench/idp/shibboleth-idp/conf/attribute-filter.xml b/Workbench/idp/shibboleth-idp/conf/attribute-filter.xml
@@ -37,4 +37,70 @@
 		<AttributeRule attributeID="mail" permitAny="true" />
     </AttributeFilterPolicy>
 
+	<!-- Supports annotated metadata supplied by the Shibb UI -->
+	<AttributeFilterPolicy id="Per-Attribute-singleValued">
+        <PolicyRequirementRule xsi:type="ANY"/>
+        <AttributeRule attributeID="eduPersonPrincipalName">
+            <PermitValueRule xsi:type="EntityAttributeExactMatch"
+                             attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
+                             attributeValue="eduPersonPrincipalName" />
+        </AttributeRule>
+        <AttributeRule attributeID="uid">
+            <PermitValueRule xsi:type="EntityAttributeExactMatch"
+                             attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
+                             attributeValue="uid" />
+        </AttributeRule>
+        <AttributeRule attributeID="mail">
+            <PermitValueRule xsi:type="EntityAttributeExactMatch"
+                             attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
+                             attributeValue="mail" />
+        </AttributeRule>
+        <AttributeRule attributeID="surname">
+            <PermitValueRule xsi:type="EntityAttributeExactMatch"
+                             attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
+                             attributeValue="surname" />
+        </AttributeRule>
+        <AttributeRule attributeID="givenName">
+            <PermitValueRule xsi:type="EntityAttributeExactMatch"
+                             attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
+                             attributeValue="givenName" />
+        </AttributeRule>
+        <AttributeRule attributeID="eduPersonAffiliation">
+            <PermitValueRule xsi:type="EntityAttributeExactMatch"
+                             attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
+                             attributeValue="eduPersonAffiliation" />
+        </AttributeRule>
+        <AttributeRule attributeID="eduPersonScopedAffiliation">
+            <PermitValueRule xsi:type="EntityAttributeExactMatch"
+                             attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
+                             attributeValue="eduPersonScopedAffiliation" />
+        </AttributeRule>
+        <AttributeRule attributeID="eduPersonPrimaryAffiliation">
+            <PermitValueRule xsi:type="EntityAttributeExactMatch"
+                             attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
+                             attributeValue="eduPersonPrimaryAffiliation" />
+        </AttributeRule>
+        <AttributeRule attributeID="eduPersonEntitlement">
+            <PermitValueRule xsi:type="EntityAttributeExactMatch"
+                             attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
+                             attributeValue="eduPersonEntitlement" />
+        </AttributeRule>
+        <AttributeRule attributeID="eduPersonAssurance">
+            <PermitValueRule xsi:type="EntityAttributeExactMatch"
+                             attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
+                             attributeValue="eduPersonAssurance" />
+        </AttributeRule>
+        <AttributeRule attributeID="eduPersonUniqueId">
+            <PermitValueRule xsi:type="EntityAttributeExactMatch"
+                             attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
+                             attributeValue="eduPersonUniqueId" />
+        </AttributeRule>
+        <AttributeRule attributeID="employeeNumber">
+            <PermitValueRule xsi:type="EntityAttributeExactMatch"
+                             attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
+                             attributeValue="employeeNumber" />
+        </AttributeRule>
+    </AttributeFilterPolicy>
+
+
 </AttributeFilterPolicyGroup>
diff --git a/Workbench/idp/shibboleth-idp/conf/metadata-providers.xml b/Workbench/idp/shibboleth-idp/conf/metadata-providers.xml
@@ -30,6 +30,14 @@
     <MetadataProvider id="ComanageSP"  xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/comanage-sp.xml"/>
     <MetadataProvider id="ProxySP"  xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/proxy-sp.xml"/>
 	<MetadataProvider id="ShibUISP"  xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/idpui-sp.xml"/>
+
+	<!-- For metadata generated by the Shib UI -->
+	<MetadataProvider id="LocalDynamic"
+                      xsi:type="LocalDynamicMetadataProvider"
+                      sourceDirectory="%{idp.home}/metadata/generated"
+                      minCacheDuration="PT10S"
+                      maxCacheDuration="PT30S"/>
+
 
     <!-- Example HTTP metadata provider.  Use this if you want to download
          the metadata from a remote service.

diff --git a/Workbench/idp/shibboleth-idp/conf/relying-party.xml b/Workbench/idp/shibboleth-idp/conf/relying-party.xml
@@ -0,0 +1,76 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:context="http://www.springframework.org/schema/context"
+       xmlns:util="http://www.springframework.org/schema/util"
+       xmlns:p="http://www.springframework.org/schema/p"
+       xmlns:c="http://www.springframework.org/schema/c"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+
+       default-init-method="initialize"
+       default-destroy-method="destroy">
+
+    <!--
+    Unverified RP configuration, defaults to no support for any profiles. Add <ref> elements to the list
+    to enable specific default profile settings (as below), or create new beans inline to override defaults.
+    
+    "Unverified" typically means the IdP has no metadata, or equivalent way of assuring the identity and
+    legitimacy of a requesting system. To run an "open" IdP, you can enable profiles here.
+    -->
+    <bean id="shibboleth.UnverifiedRelyingParty" parent="RelyingParty">
+        <property name="profileConfigurations">
+            <list>
+            <!-- <bean parent="SAML2.SSO" p:encryptAssertions="false" /> -->
+            </list>
+        </property>
+    </bean>
+
+    <!--
+    Default configuration, with default settings applied for all profiles, and enables
+    the attribute-release consent flow.
+    -->
+    <bean id="shibboleth.DefaultRelyingParty" parent="RelyingParty">
+        <property name="profileConfigurations">
+            <list>
+                <!-- SAML 1.1 and SAML 2.0 AttributeQuery are disabled by default. -->
+                <!--
+                <bean parent="Shibboleth.SSO" p:postAuthenticationFlows="attribute-release" />
+                <ref bean="SAML1.AttributeQuery" />
+                <ref bean="SAML1.ArtifactResolution" />
+                -->
+				<bean parent="SAML2.SSO.MDDriven" p:postAuthenticationFlows="attribute-release"/>
+                <!-- <bean parent="SAML2.SSO" p:postAuthenticationFlows="attribute-release" /> -->
+                <ref bean="SAML2.ECP" />
+                <ref bean="SAML2.Logout" />
+                <!--
+                <ref bean="SAML2.AttributeQuery" />
+                -->
+                <ref bean="SAML2.ArtifactResolution" />
+                <ref bean="Liberty.SSOS" />
+            </list>
+        </property>
+    </bean>
+
+    <!-- Container for any overrides you want to add. -->
+
+    <util:list id="shibboleth.RelyingPartyOverrides">
+
+        <!--
+        Override example that identifies a single RP by name and configures it
+        for SAML 2 SSO without encryption. This is a common "vendor" scenario.
+        -->
+        <!--
+        <bean parent="RelyingPartyByName" c:relyingPartyIds="https://sp.example.org">
+            <property name="profileConfigurations">
+                <list>
+                    <bean parent="SAML2.SSO" p:encryptAssertions="false" />
+                </list>
+            </property>
+        </bean>
+        -->
+
+    </util:list>
+
+</beans>