Skip to content
Jump to bottom

integrate IdP UI, add healthchecks #69

Merged
merged 3 commits into from
Dec 16, 2020
Merged

integrate IdP UI, add healthchecks #69

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
da36c1a
IdP UI integration, add container healthchecks
pcaskey Dec 16, 2020
8eed45b
Merge branch 'PC_IdP-UI' of https://github.internet2.edu/internet2/In…
pcaskey Dec 16, 2020
143c395
Merge branch 'main' into PC_IdP-UI
pcaskey Dec 16, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion Workbench/comanage_data/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -6,4 +6,4 @@ ENV MYSQL_DATABASE registry
ENV MYSQL_USER registry_user
ENV MYSQL_PASSWORD 123321
ENV MYSQL_DATADIR /var/lib/mysqlmounted
# ENV AFTER_FIRST_TIME_SQL /seed-data/comanage-bootstrap.sql
ENV AFTER_FIRST_TIME_SQL /seed-data/comanage-bootstrap.sql
67 changes: 64 additions & 3 deletions Workbench/docker-compose.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ services:
aliases:
- grouper-daemon
healthcheck:
test: curl -s grouper_data:3306
test: gsh
interval: 30s
timeout: 30s
retries: 3
Expand Down Expand Up @@ -60,6 +60,11 @@ services:
- grouper-ui
ports:
- 8443:443
healthcheck:
test: curl -k -f https://127.0.0.1/grouper/grouperUi/ || exit 1
interval: 30s
timeout: 30s
retries: 3
secrets:
- g_database_password.txt
- source: grouper.hibernate.properties
Expand Down Expand Up @@ -112,6 +117,11 @@ services:
- grouper-ws
ports:
- 9443:443
healthcheck:
test: curl -k -f https://127.0.0.1/grouper-ws/status?diagnosticType=trivial || exit 1
interval: 30s
timeout: 30s
retries: 3
secrets:
- g_database_password.txt
- source: grouper.hibernate.properties
Expand Down Expand Up @@ -147,7 +157,7 @@ services:
ports:
- 3306:3306
healthcheck:
test: curl -s grouper_data:3306
test: curl -s 127.0.0.1:3306
interval: 30s
timeout: 30s
retries: 3
Expand All @@ -160,6 +170,11 @@ services:
- 389:389
networks:
- net
healthcheck:
test: netstat -an | grep :389 | grep LISTEN
interval: 30s
timeout: 30s
retries: 3
volumes:
- ldap:/var/lib/dirsrv

Expand All @@ -169,6 +184,11 @@ services:
- 13306:3306
networks:
- net
healthcheck:
test: curl -s 127.0.0.1:3306
interval: 30s
timeout: 30s
retries: 3
volumes:
- source_mysql:/var/lib/mysql
- source_data:/var/lib/mysqlmounted
Expand All @@ -183,6 +203,11 @@ services:
net:
aliases:
- comanage-data
healthcheck:
test: curl -s 127.0.0.1:3306
interval: 30s
timeout: 30s
retries: 3
volumes:
- comanage_mysql:/var/lib/mysql
- comanage_data:/var/lib/mysqlmounted
Expand All @@ -197,6 +222,11 @@ services:
net:
aliases:
- midpoint-data
healthcheck:
test: curl -s 127.0.0.1:3306
interval: 30s
timeout: 30s
retries: 3
volumes:
- midpoint_mysql:/var/lib/mysql
- midpoint_data:/var/lib/mysqlmounted
Expand Down Expand Up @@ -260,6 +290,7 @@ services:
- CSPHOSTNAME
depends_on:
- directory
- idp_ui
environment:
- JETTY_MAX_HEAP=64m
- JETTY_BROWSER_SSL_KEYSTORE_PASSWORD=password
Expand All @@ -278,11 +309,16 @@ services:
args:
- CSPHOSTNAME
depends_on:
- idp
- idp_ui_data
networks:
- net
ports:
- 8080:8080
healthcheck:
test: curl -k -f https://127.0.0.1:8443/idpui/login || exit 1
interval: 30s
timeout: 30s
retries: 3
volumes:
- generated-metadata:/generated-metadata
- generated-config:/generated-config
Expand All @@ -300,6 +336,11 @@ services:
net:
aliases:
- idpui-data
healthcheck:
test: curl -s 127.0.0.1:3306
interval: 30s
timeout: 30s
retries: 3
volumes:
- mariadb-data:/var/lib/mysql

Expand All @@ -312,6 +353,11 @@ services:
- net
ports:
- 15672:15672
healthcheck:
test: curl -s 127.0.0.1:15672
interval: 30s
timeout: 30s
retries: 3
volumes:
- mq:/var/lib/rabbitmq

Expand Down Expand Up @@ -365,6 +411,11 @@ services:
build: ./wordpress_data/
networks:
- net
healthcheck:
test: curl -s 127.0.0.1:3306
interval: 30s
timeout: 30s
retries: 3
volumes:
- wordpress_data:/var/lib/mysql
ports:
Expand All @@ -386,6 +437,11 @@ services:
- net
ports:
- 11443:443
healthcheck:
test: curl -kf https://127.0.0.1/registry/ || exit 1
interval: 30s
timeout: 30s
retries: 3
volumes:
- type: bind
source: ./configs-and-secrets/comanage/shibboleth/shibboleth2.xml
Expand All @@ -405,6 +461,11 @@ services:
context: ./comanage_cron/
args:
- CSPHOSTNAME
healthcheck:
test: curl -s comanage_data:3306
interval: 30s
timeout: 30s
retries: 3
environment:
- ENV
- USERTOKEN
Expand Down
1 change: 1 addition & 0 deletions Workbench/grouper_data/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -35,4 +35,5 @@ RUN (mysqld_safe & ) \

EXPOSE 3306


CMD mysqld_safe
2 changes: 2 additions & 0 deletions Workbench/idp/Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,6 +9,8 @@ COPY shibboleth-idp/ /opt/shibboleth-idp/

RUN mkdir -p /opt/shibboleth-idp/metadata/generated && mkdir -p /opt/shibboleth-idp/conf/generated

COPY container_files/idp/shibui-metadata-providers.xml /opt/shibboleth-idp/conf/generated/

COPY container_files/system/setservername.sh /usr/local/bin/
RUN chmod 755 /usr/local/bin/setservername.sh

Expand Down
6 changes: 6 additions & 0 deletions Workbench/idp/container_files/idp/shibui-metadata-providers.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,6 @@
<?xml version="1.0" encoding="UTF-8"?>
<MetadataProvider xmlns="urn:mace:shibboleth:2.0:metadata"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
id="ShibbolethMetadata"
xsi:schemaLocation="urn:mace:shibboleth:2.0:metadata http://shibboleth.net/schema/idp/shibboleth-metadata.xsd urn:mace:shibboleth:2.0:resource http://shibboleth.net/schema/idp/shibboleth-resource.xsd urn:mace:shibboleth:2.0:security http://shibboleth.net/schema/idp/shibboleth-security.xsd urn:oasis:names:tc:SAML:2.0:metadata http://docs.oasis-open.org/security/saml/v2.0/saml-schema-metadata-2.0.xsd urn:oasis:names:tc:SAML:2.0:assertion http://docs.oasis-open.org/security/saml/v2.0/saml-schema-assertion-2.0.xsd"
xsi:type="ChainingMetadataProvider"/>
66 changes: 66 additions & 0 deletions Workbench/idp/shibboleth-idp/conf/attribute-filter.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -37,4 +37,70 @@
<AttributeRule attributeID="mail" permitAny="true" />
</AttributeFilterPolicy>

<!-- Supports annotated metadata supplied by the Shibb UI -->
<AttributeFilterPolicy id="Per-Attribute-singleValued">
<PolicyRequirementRule xsi:type="ANY"/>
<AttributeRule attributeID="eduPersonPrincipalName">
<PermitValueRule xsi:type="EntityAttributeExactMatch"
attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
attributeValue="eduPersonPrincipalName" />
</AttributeRule>
<AttributeRule attributeID="uid">
<PermitValueRule xsi:type="EntityAttributeExactMatch"
attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
attributeValue="uid" />
</AttributeRule>
<AttributeRule attributeID="mail">
<PermitValueRule xsi:type="EntityAttributeExactMatch"
attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
attributeValue="mail" />
</AttributeRule>
<AttributeRule attributeID="surname">
<PermitValueRule xsi:type="EntityAttributeExactMatch"
attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
attributeValue="surname" />
</AttributeRule>
<AttributeRule attributeID="givenName">
<PermitValueRule xsi:type="EntityAttributeExactMatch"
attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
attributeValue="givenName" />
</AttributeRule>
<AttributeRule attributeID="eduPersonAffiliation">
<PermitValueRule xsi:type="EntityAttributeExactMatch"
attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
attributeValue="eduPersonAffiliation" />
</AttributeRule>
<AttributeRule attributeID="eduPersonScopedAffiliation">
<PermitValueRule xsi:type="EntityAttributeExactMatch"
attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
attributeValue="eduPersonScopedAffiliation" />
</AttributeRule>
<AttributeRule attributeID="eduPersonPrimaryAffiliation">
<PermitValueRule xsi:type="EntityAttributeExactMatch"
attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
attributeValue="eduPersonPrimaryAffiliation" />
</AttributeRule>
<AttributeRule attributeID="eduPersonEntitlement">
<PermitValueRule xsi:type="EntityAttributeExactMatch"
attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
attributeValue="eduPersonEntitlement" />
</AttributeRule>
<AttributeRule attributeID="eduPersonAssurance">
<PermitValueRule xsi:type="EntityAttributeExactMatch"
attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
attributeValue="eduPersonAssurance" />
</AttributeRule>
<AttributeRule attributeID="eduPersonUniqueId">
<PermitValueRule xsi:type="EntityAttributeExactMatch"
attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
attributeValue="eduPersonUniqueId" />
</AttributeRule>
<AttributeRule attributeID="employeeNumber">
<PermitValueRule xsi:type="EntityAttributeExactMatch"
attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
attributeValue="employeeNumber" />
</AttributeRule>
</AttributeFilterPolicy>


</AttributeFilterPolicyGroup>
8 changes: 8 additions & 0 deletions Workbench/idp/shibboleth-idp/conf/metadata-providers.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -31,6 +31,14 @@
<MetadataProvider id="WordpressSP" xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/wordpress-sp.xml"/>
<MetadataProvider id="ProxySP" xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/proxy-sp.xml"/>
<MetadataProvider id="ShibUISP" xsi:type="FilesystemMetadataProvider" metadataFile="%{idp.home}/metadata/idpui-sp.xml"/>

<!-- For metadata generated by the Shib UI -->
<MetadataProvider id="LocalDynamic"
xsi:type="LocalDynamicMetadataProvider"
sourceDirectory="%{idp.home}/metadata/generated"
minCacheDuration="PT10S"
maxCacheDuration="PT30S"/>


<!-- Example HTTP metadata provider. Use this if you want to download
the metadata from a remote service.
Expand Down
76 changes: 76 additions & 0 deletions Workbench/idp/shibboleth-idp/conf/relying-party.xml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,76 @@
<?xml version="1.0" encoding="UTF-8"?>
<beans xmlns="http://www.springframework.org/schema/beans"
xmlns:context="http://www.springframework.org/schema/context"
xmlns:util="http://www.springframework.org/schema/util"
xmlns:p="http://www.springframework.org/schema/p"
xmlns:c="http://www.springframework.org/schema/c"
xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"

default-init-method="initialize"
default-destroy-method="destroy">

<!--
Unverified RP configuration, defaults to no support for any profiles. Add <ref> elements to the list
to enable specific default profile settings (as below), or create new beans inline to override defaults.
"Unverified" typically means the IdP has no metadata, or equivalent way of assuring the identity and
legitimacy of a requesting system. To run an "open" IdP, you can enable profiles here.
-->
<bean id="shibboleth.UnverifiedRelyingParty" parent="RelyingParty">
<property name="profileConfigurations">
<list>
<!-- <bean parent="SAML2.SSO" p:encryptAssertions="false" /> -->
</list>
</property>
</bean>

<!--
Default configuration, with default settings applied for all profiles, and enables
the attribute-release consent flow.
-->
<bean id="shibboleth.DefaultRelyingParty" parent="RelyingParty">
<property name="profileConfigurations">
<list>
<!-- SAML 1.1 and SAML 2.0 AttributeQuery are disabled by default. -->
<!--
<bean parent="Shibboleth.SSO" p:postAuthenticationFlows="attribute-release" />
<ref bean="SAML1.AttributeQuery" />
<ref bean="SAML1.ArtifactResolution" />
-->
<bean parent="SAML2.SSO.MDDriven" p:postAuthenticationFlows="attribute-release"/>
<!-- <bean parent="SAML2.SSO" p:postAuthenticationFlows="attribute-release" /> -->
<ref bean="SAML2.ECP" />
<ref bean="SAML2.Logout" />
<!--
<ref bean="SAML2.AttributeQuery" />
-->
<ref bean="SAML2.ArtifactResolution" />
<ref bean="Liberty.SSOS" />
</list>
</property>
</bean>

<!-- Container for any overrides you want to add. -->

<util:list id="shibboleth.RelyingPartyOverrides">

<!--
Override example that identifies a single RP by name and configures it
for SAML 2 SSO without encryption. This is a common "vendor" scenario.
-->
<!--
<bean parent="RelyingPartyByName" c:relyingPartyIds="https://sp.example.org">
<property name="profileConfigurations">
<list>
<bean parent="SAML2.SSO" p:encryptAssertions="false" />
</list>
</property>
</bean>
-->

</util:list>

</beans>
Loading