internet2 · pcaskey · Oct 1, 2021 · Oct 1, 2021 · Oct 1, 2021
diff --git a/Workbench/docker-compose.yml b/Workbench/docker-compose.yml
@@ -303,7 +303,6 @@ services:
         - CSPHOSTNAME
     depends_on:
      - directory
-     - idp_ui
     environment:
      - JETTY_MAX_HEAP=64m
      - JETTY_BROWSER_SSL_KEYSTORE_PASSWORD=password
@@ -336,6 +335,25 @@ services:
      - generated-metadata:/generated-metadata
      - generated-config:/generated-config
 
+  idp_ui_api:
+    build:
+      context: ./idp_ui_api/
+      args:
+        - CSPHOSTNAME
+    depends_on:
+     - idp_ui_data
+     - idp_ui
+    networks:
+     - net
+    healthcheck:
+      test: curl -k -s https://127.0.0.1:8443/idpui-api
+      interval: 30s
+      timeout: 30s
+      retries: 3
+    volumes:
+     - generated-metadata:/generated-metadata
+     - generated-config:/generated-config
+
   idp_ui_data:
     image: tier/mariadb:mariadb10.2
     ports:
@@ -382,6 +400,8 @@ services:
         - CSPHOSTNAME
     networks:
      - net
+    depends_on:
+      - idp_ui_api
     ports:
      - 443:443
 

diff --git a/Workbench/idp/Dockerfile b/Workbench/idp/Dockerfile
@@ -6,9 +6,6 @@ ARG CSPHOSTNAME=localhost
 ENV CSPHOSTNAME=$CSPHOSTNAME
 
 COPY shibboleth-idp/ /opt/shibboleth-idp/
-#rather than copying metadata files included in above folder and including in config, instead upload these files to the IdP UI
-#  API info here: https://documenter.getpostman.com/view/446764/TzzHmCkn
-
 
 RUN mkdir -p /opt/shibboleth-idp/metadata/generated && mkdir -p /opt/shibboleth-idp/conf/generated
 
@@ -19,3 +16,5 @@ RUN chmod 755 /usr/local/bin/setservername.sh
 
 #set hostname
 RUN /usr/local/bin/setservername.sh
+
+
diff --git a/Workbench/idp/container_files/system/setservername.sh b/Workbench/idp/container_files/system/setservername.sh
@@ -1,6 +1,6 @@
 #!/bin/bash
 
-files="/opt/shibboleth-idp/metadata/idp-metadata.xml /opt/shibboleth-idp/metadata/idpui-sp.xml /opt/shibboleth-idp/metadata/grouper-sp.xml /opt/shibboleth-idp/metadata/proxy-sp.xml /opt/shibboleth-idp/metadata/comanage-sp.xml /opt/shibboleth-idp/metadata/midpoint-sp.xml /opt/shibboleth-idp/metadata/wordpress-sp.xml"
+files="/opt/shibboleth-idp/metadata/idp-metadata.xml /opt/shibboleth-idp/metadata/idpui-sp.xml"
 
 for file in $files
   do

diff --git a/Workbench/idp/shibboleth-idp/conf/attribute-filter.xml b/Workbench/idp/shibboleth-idp/conf/attribute-filter.xml
@@ -95,7 +95,7 @@
 
 
     <!-- workbench SPs -->
-    <AttributeFilterPolicy id="grouper">
+<!--    <AttributeFilterPolicy id="grouper">
         <PolicyRequirementRule xsi:type="Requester" value="https://grouperdemo/shibboleth" />
         <AttributeRule attributeID="eduPersonPrincipalName" permitAny="true" />
         <AttributeRule attributeID="uid" permitAny="true" />
@@ -126,7 +126,7 @@
         <AttributeRule attributeID="eduPersonPrincipalName" permitAny="true" />
         <AttributeRule attributeID="uid" permitAny="true" />
         <AttributeRule attributeID="mail" permitAny="true" />
-    </AttributeFilterPolicy>
+    </AttributeFilterPolicy> -->
 
     <AttributeFilterPolicy id="shibui">
         <PolicyRequirementRule xsi:type="Requester" value="https://sp.example.org/shibui" />

diff --git a/Workbench/idp/shibboleth-idp/conf/metadata-providers.xml b/Workbench/idp/shibboleth-idp/conf/metadata-providers.xml
@@ -33,11 +33,11 @@
     -->
 
     <!-- Workbench SPs --> 
-    <MetadataProvider id="GrouperSP" xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/grouper-sp.xml"/>
+    <!-- <MetadataProvider id="GrouperSP" xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/grouper-sp.xml"/>
     <MetadataProvider id="MidpointSP" xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/midpoint-sp.xml"/>
     <MetadataProvider id="ComanageSP" xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/comanage-sp.xml"/>
     <MetadataProvider id="WordpressSP" xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/wordpress-sp.xml"/>
-    <MetadataProvider id="ProxySP" xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/proxy-sp.xml"/>
+    <MetadataProvider id="ProxySP" xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/proxy-sp.xml"/> -->
     <MetadataProvider id="ShibUISP" xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/idpui-sp.xml"/>
 
     <!-- For metadata generated by the Shib UI -->

diff --git a/Workbench/idp_ui_api/Dockerfile b/Workbench/idp_ui_api/Dockerfile
@@ -0,0 +1,18 @@
+FROM i2incommon/shib-idp-ui:1.9.2
+
+ARG CSPHOSTNAME=localhost
+ENV CSPHOSTNAME=$CSPHOSTNAME
+
+COPY container_files/idp_ui/application.yml /opt/shibui/
+COPY container_files/idp_ui/shibui-test.p12 /opt/shibui/
+COPY container_files/idp_ui/users.txt /opt/shibui/
+
+#RUN mkdir -p /opt/shibui/saml/
+##COPY container_files/idp_ui/samlkeystore.jks /opt/shibui/saml/
+#COPY container_files/idp_ui/idp-metadata.xml /opt/shibui/saml/
+
+#COPY container_files/system/setservername.sh /usr/local/bin/
+#RUN chmod 755 /usr/local/bin/setservername.sh
+#RUN /usr/local/bin/setservername.sh
+
+EXPOSE 8443
diff --git a/Workbench/idp_ui_api/container_files/idp_ui/application.yml b/Workbench/idp_ui_api/container_files/idp_ui/application.yml
@@ -0,0 +1,36 @@
+server:
+  context-path: /idpui-api
+  servlet:
+    context-path: /idpui-api
+  tomcat:
+    redirect-context-root: false
+  ssl:
+    enabled: true
+    key-store: /opt/shibui/shibui-test.p12
+    key-store-password: testing
+    key-store-type: pkcs12
+    key-password: testing
+  port: 8443
+shibui:
+  default-password: "{noop}letmein7"
+  metadataProviders:
+    target: "file:/generated-config/shibui-metadata-providers.xml"
+  metadata-dir: "/generated-metadata"
+  beacon-enabled: true
+  pac4j-enabled: true
+  pac4j:
+    type-of-auth: HEADER
+    authentication-header: IDPUI_API_KEY
+spring:
+  datasource:
+    username: shibui
+    password: secret
+    url: jdbc:mariadb://idpui-data:3306/shibui
+    driverClassName: org.mariadb.jdbc.Driver
+    platform: mariadb
+  jpa:
+    database-platform: org.hibernate.dialect.MariaDBDialect
+    hibernate:
+      ddl-auto: update
+
+
diff --git a/Workbench/idp_ui_api/container_files/idp_ui/shibui-test.p12 b/Workbench/idp_ui_api/container_files/idp_ui/shibui-test.p12
diff --git a/Workbench/idp_ui_api/container_files/idp_ui/users.txt b/Workbench/idp_ui_api/container_files/idp_ui/users.txt
@@ -0,0 +1 @@
+00c34830-9028-418c-976c-624a61578c8f,{bcrypt}$2a$10$V1jeTIc0b2u7Y3yU.LqkXOPRVTBFc7SW07QaJR4KrBAmWGgTcO9H.,first,last,ROLE_ADMIN,user1@example.org
diff --git a/Workbench/idp_ui_api/container_files/system/setservername.sh b/Workbench/idp_ui_api/container_files/system/setservername.sh
@@ -0,0 +1,8 @@
+#!/bin/bash
+
+files="/opt/shibui/application.yml"
+
+for file in $files
+  do
+    sed -i "s|__CSPHOSTNAME__|$CSPHOSTNAME|g" $file
+  done
diff --git a/Workbench/scripts/gethealth.py b/Workbench/scripts/gethealth.py
@@ -1,6 +1,6 @@
 #!/bin/python
 
-containers = ["idp", "idp_ui", "idp_ui_data", "grouper_ui", "grouper_ws", "grouper_daemon", "grouper_data", "comanage", "comanage-cron", "comanage_data", "midpoint_server", "midpoint_data", "webproxy", "wordpress_server", "wordpress_data", "mq", "directory", "sources"]
+containers = ["idp", "idp_ui", "idp_ui_data", "idp_ui_api", "grouper_ui", "grouper_ws", "grouper_daemon", "grouper_data", "comanage", "comanage-cron", "comanage_data", "midpoint_server", "midpoint_data", "webproxy", "wordpress_server", "wordpress_data", "mq", "directory", "sources"]
 
 print("<table><tr><th style='text-align:left;width:150px'>Container</th><th style='text-align:left'>Health Status</th></tr>")
 for container in containers:

diff --git a/Workbench/webproxy/Dockerfile b/Workbench/webproxy/Dockerfile
@@ -3,7 +3,7 @@ FROM tier/shibboleth_sp:latest
 ARG CSPHOSTNAME=localhost
 ENV CSPHOSTNAME=$CSPHOSTNAME
 
-RUN yum -y install cronie php composer php-bcmath
+RUN yum -y install cronie php composer php-bcmath jq
 RUN composer require php-amqplib/php-amqplib
 RUN composer install
 RUN mkdir -p /var/www/html/refresh
@@ -28,6 +28,17 @@ RUN chmod 755 /usr/local/bin/setservername.sh
 
 RUN mkdir -p /signalreload
 
+RUN mkdir -p /mdload
+COPY container_files/system/startWithMDLoad.sh /usr/local/bin/
+COPY container_files/mdload/ /mdload/
+RUN chmod 755 /usr/local/bin/startWithMDLoad.sh && chmod 755 /mdload/*.sh
+
+#install updated curl (for --data-raw)
+RUN rpm -Uvh http://www.city-fan.org/ftp/contrib/yum-repo/city-fan.org-release-2-1.rhel7.noarch.rpm
+RUN yum-config-manager --enable city-fan.org
+RUN yum update curl -y
+
+
 # fix httpd logging for ssl logs
 RUN sed -i 's/TransferLog logs\/ssl_access_log/TransferLog \/tmp\/logpipe/g' /etc/httpd/conf.d/ssl.conf \
     && sed -i 's/ErrorLog logs\/ssl_error_log/ErrorLog \/tmp\/logpipe/g' /etc/httpd/conf.d/ssl.conf
@@ -37,3 +48,6 @@ RUN /usr/local/bin/setservername.sh
 
 HEALTHCHECK --interval=1m --timeout=30s \
   CMD curl -k -f -u csp:workbench https://127.0.0.1/Shibboleth.sso/Status || exit 1
+
+CMD ["/usr/local/bin/startWithMDLoad.sh"]
+
diff --git a/Workbench/webproxy/container_files/httpd/index.html b/Workbench/webproxy/container_files/httpd/index.html
@@ -7,14 +7,14 @@ <h3>Welcome to the InCommon TAP Workbench!</h3>
 For complete documentation, see <a href="https://spaces.at.internet2.edu/x/-IKeCg" target="_blank">this page</a>.
 <br /><br />
 The system contains the following TAP components (click the links to access each component in its own tab):
-<ul>
 
- <li><a href="https://__CSPHOSTNAME__/grouper" target="TAP-WB-GROUPER">Grouper (2.5.57)</a></li>
- <li><a href="https://__CSPHOSTNAME__/midpoint" target="TAP-WB-MIDPOINT">midPoint (4.3.2)</a></li>
- <li><a href="https://__CSPHOSTNAME__/registry" target="TAP-WB-COMANAGE">COmanage Registry (3.3.2)</a></li>
+<ul>
+<li><a href="https://__CSPHOSTNAME__/grouper" target="TAP-WB-GROUPER">Grouper (2.6.0)</a></li>
+<li><a href="https://__CSPHOSTNAME__/midpoint" target="TAP-WB-MIDPOINT">midPoint (4.3.2)</a></li>
+<li><a href="https://__CSPHOSTNAME__/registry" target="TAP-WB-COMANAGE">COmanage Registry (3.3.4)</a></li>
 <li><a href="https://__CSPHOSTNAME__/idpui/" target="TAP-WB-IDPUI">Shibboleth IdP UI (1.9.2)</a></li>
-
 </ul>
+
 <br />
 The system also contains the following downstream/target applications:
 <ul>

diff --git a/Workbench/webproxy/container_files/httpd/proxy.conf b/Workbench/webproxy/container_files/httpd/proxy.conf
@@ -21,6 +21,10 @@ AllowEncodedSlashes NoDecode
   RequestHeader unset Authorization
 </Location>
 
+<Location /idpui-api>
+  RequestHeader unset Authorization
+</Location>
+
 ProxyPass /midpoint https://midpoint-server/midpoint
 ProxyPassReverse /midpoint https://midpoint-server/midpoint
 ProxyPass /MPSSO https://midpoint-server/MPSSO
@@ -40,6 +44,9 @@ ProxyPassReverse /idp https://idp/idp
 ProxyPass /idpui https://idp_ui:8443/idpui
 ProxyPassReverse /idpui https://idp_ui:8443/idpui
 
+ProxyPass /idpui-api https://idp_ui_api:8443/idpui-api
+ProxyPassReverse /idpui-api https://idp_ui_api:8443/idpui-api
+
 ProxyPass /rabbit http://mq:15672/ nocanon
 ProxyPassReverse /rabbit http://mq:15672/
 ProxyPass /js http://mq:15672/js

diff --git a/Workbench/webproxy/container_files/httpd/ssl.conf b/Workbench/webproxy/container_files/httpd/ssl.conf
@@ -164,6 +164,13 @@ SSLCertificateChainFile /etc/pki/tls/certs/server-chain.crt
     Satisfy any
 </Location>
 
+<Location "/idpui-api/">
+    Order deny,allow
+    Allow from all
+    Satisfy any
+</Location>
+
+
 <Location />
   AuthType Basic
   AuthName "Restricted CSP content"

diff --git a/Workbench/webproxy/container_files/mdload/addAttrRel.sh b/Workbench/webproxy/container_files/mdload/addAttrRel.sh
@@ -0,0 +1,21 @@
+#!/bin/sh
+
+HEADER_NAME="IDPUI_API_KEY"
+HEADER_VALUE="00c34830-9028-418c-976c-624a61578c8f"
+
+#first param is internal ID
+
+#get the current object and add attribute release info
+echo "mdload-attr:Fetching current data for object $1"
+curl -k -s --location --request GET "https://localhost/idpui-api/api/EntityDescriptor/$1" \
+--header "${HEADER_NAME}: ${HEADER_VALUE}" | jq '.attributeRelease += ["eduPersonPrincipalName","mail","givenName","surname","uid"]' > json.out
+
+#update the existing object with the added attribute release data
+echo "mdload-attr:Adding attribute release info for object $1"
+curl -k -s --location --request PUT "https://localhost/idpui-api/api/EntityDescriptor/$1" \
+--header 'Content-Type: application/json' \
+--header "${HEADER_NAME}: ${HEADER_VALUE}" \
+--data-raw "$(cat json.out)"
+
+rm json.out
+
diff --git a/...p/shibboleth-idp/metadata/comanage-sp.xml → ...xy/container_files/mdload/comanage-sp.xml b/...p/shibboleth-idp/metadata/comanage-sp.xml → ...xy/container_files/mdload/comanage-sp.xml
diff --git a/...dp/shibboleth-idp/metadata/grouper-sp.xml → ...oxy/container_files/mdload/grouper-sp.xml b/...dp/shibboleth-idp/metadata/grouper-sp.xml → ...oxy/container_files/mdload/grouper-sp.xml
diff --git a/Workbench/webproxy/container_files/mdload/loadMD.sh b/Workbench/webproxy/container_files/mdload/loadMD.sh
@@ -0,0 +1,54 @@
+#!/bin/sh
+
+HEADER_NAME="IDPUI_API_KEY"
+HEADER_VALUE="00c34830-9028-418c-976c-624a61578c8f"
+DIR=/mdload
+
+#first param is name of SP
+#second param is filename of raw metadata
+#third param is sleep time
+
+
+pushd $DIR
+
+#make sure its up
+echo "mdload:Sleeping for $3 seconds to ensure availability"
+sleep $3
+
+#import raw XML
+echo "mdload:Importing metadata for $1..."
+curl -k -s --location --request POST "https://localhost/idpui-api/api/EntityDescriptor?spName=$1" \
+--header 'Content-Type: application/xml' \
+--header "${HEADER_NAME}: ${HEADER_VALUE}" \
+--data-raw "$(cat $2)" > $DIR/output.txt
+
+#get ID, set as enabled
+ID=$(cat $DIR/output.txt | jq -r '.id')
+echo "mdload:Fetched ID for object: $ID"
+sleep 5
+
+#ensure ID isn't empty
+echo "Setting $1 as enabled..."
+if [[ -z "$ID" ]]; then
+ echo "mdload:\$ID : is EMPTY, terminating"
+ cat $DIR/output.txt
+ exit 1
+fi
+
+#validate ID
+if [[ $ID =~ ^\{?[A-F0-9a-f]{8}-[A-F0-9a-f]{4}-[A-F0-9a-f]{4}-[A-F0-9a-f]{4}-[A-F0-9a-f]{12}\}?$ ]]; then
+  echo "mdload: object ID validated"
+  curl -k -s --location --request PATCH "https://localhost/idpui-api/api/activate/entityDescriptor/$ID/enable" \
+     --header "${HEADER_NAME}: ${HEADER_VALUE}"
+else
+  echo "mdload:Bad response from service, terminating:"
+  cat $DIR/output.txt
+  exit 1
+fi
+
+#add attribute release
+$DIR/addAttrRel.sh $ID
+
+rm $DIR/output.txt
+
+popd
diff --git a/...p/shibboleth-idp/metadata/midpoint-sp.xml → ...xy/container_files/mdload/midpoint-sp.xml b/...p/shibboleth-idp/metadata/midpoint-sp.xml → ...xy/container_files/mdload/midpoint-sp.xml
diff --git a/.../idp/shibboleth-idp/metadata/proxy-sp.xml → ...proxy/container_files/mdload/proxy-sp.xml b/.../idp/shibboleth-idp/metadata/proxy-sp.xml → ...proxy/container_files/mdload/proxy-sp.xml