Reduce size of the test idp container; avoid ldap changing host file …

…permissions; Grouper certs jks->pem

src/test/docker/directory/Dockerfile

@@ -1,4 +1,4 @@
 FROM osixia/openldap:1.3.0
 
 COPY 001_eduperson.ldif /container/service/slapd/assets/config/bootstrap/ldif
-COPY 999_users.ldif /container/service/slapd/assets/config/bootstrap/ldif
+COPY 999_users.ldif /container/service/slapd/assets/config/bootstrap/ldif

src/test/docker/docker-compose.yml

@@ -8,7 +8,8 @@ services:
       - "--entrypoints.web-secure.address=:443"
       - "--providers.file.directory=/configuration/"
       - "--providers.file.watch=true"
-      # - "--log.level=DEBUG"
+      - "--log.level=DEBUG"
+      - "--serversTransport.insecureSkipVerify=true"
     networks:
       reverse-proxy:
         aliases:
@@ -28,15 +29,21 @@ services:
     networks:
       - idp
       - grouper
+    ports:
+      - 389:389
     volumes:
       - directory_data:/var/lib/ldap
       - directory_config:/etc/ldap/slapd.d
-      - ./directory/certs:/container/service/slapd/assets/certs
+      - ./directory/certs:/tmp/certs:ro
     environment:
       LDAP_BASE_DN: "dc=unicon,dc=local"
       LDAP_DOMAIN: "unicon.local"
       HOSTNAME: "directory"
       LDAP_TLS_VERIFY_CLIENT: "try"
+      LDAP_SEED_INTERNAL_LDAP_TLS_CRT_FILE: /tmp/certs/ldap.crt
+      LDAP_SEED_INTERNAL_LDAP_TLS_KEY_FILE: /tmp/certs/ldap.key
+      LDAP_SEED_INTERNAL_LDAP_TLS_CA_CRT_FILE: /tmp/certs/ca.crt
+      LDAP_SEED_INTERNAL_LDAP_TLS_DH_PARAM_FILE: /tmp/certs/dhparam.pem
   database:
     image: postgres
     networks:
@@ -61,9 +68,11 @@ services:
     networks:
       - idp
       - reverse-proxy
+    #ports:
+    #  - 8443:443
     volumes:
-      - ./directory/certs/ca.crt:/opt/shibboleth-idp/credentials/ldap-server.crt
-      - ./grouper/config/sp-metadata.xml:/opt/shibboleth-idp/metadata/sp-metadata.xml
+      - ./directory/certs/ca.crt:/opt/shibboleth-idp/credentials/ldap-server.crt:ro
+      - ./grouper/config/sp-metadata.xml:/opt/shibboleth-idp/metadata/sp-metadata.xml:ro
     healthcheck:
       disable: true
   grouper-ui:
@@ -85,11 +94,17 @@ services:
     volumes:
       - ../../../target/grouper-authentication-plugin-0.0.1-SNAPSHOT.jar:/opt/grouper/plugins/grouper-authentication-plugin.jar
       - ./grouper/config/grouper.properties:/opt/grouper/grouperWebapp/WEB-INF/classes/grouper.properties
-      - ./grouper/config/grouper-ui.properties:/opt/grouper/grouperWebapp/WEB-INF/classes/grouper-ui.properties
+      ## Uncomment one of the grouper-ui.properties below depending on the authentication method
+      ##   -- OIDC --
+      - ./grouper/config/grouper-ui.properties.oidc:/opt/grouper/grouperWebapp/WEB-INF/classes/grouper-ui.properties
+      ##   -- SAML --
+      #- ./grouper/config/grouper-ui.properties.saml:/opt/grouper/grouperWebapp/WEB-INF/classes/grouper-ui.properties
+      ##   -- CAS --
+      #- ./grouper/config/grouper-ui.properties.cas:/opt/grouper/grouperWebapp/WEB-INF/classes/grouper-ui.properties
       - ./grouper/config/grouper-loader.properties:/opt/grouper/grouperWebapp/WEB-INF/classes/grouper-loader.properties
       - ./grouper/config/subject.properties:/opt/grouper/grouperWebapp/WEB-INF/classes/subject.properties
       - ./shibboleth-idp/opt-shibboleth-idp/metadata/idp-metadata.xml:/opt/grouper/idp-metadata.xml
-      - ./grouper/cacerts:/usr/lib/jvm/java-17-amazon-corretto/lib/security/cacerts
+      - ./grouper/certs/unicon.local.pem:/opt/grouper/certs/client/unicon.local.pem
     environment:
       GROUPER_DATABASE_URL: "jdbc:postgresql://database/grouper"
       GROUPER_DATABASE_USERNAME: "grouper"

src/test/docker/grouper/certs/unicon.local.pem

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDCDCCAfCgAwIBAgIJANdpvkovSXs6MA0GCSqGSIb3DQEBCwUAMBkxFzAVBgNV
+BAMMDioudW5pY29uLmxvY2FsMB4XDTIwMDUyNzE3MzE1OVoXDTMwMDUyNzE3MzE1
+OVowGTEXMBUGA1UEAwwOKi51bmljb24ubG9jYWwwggEiMA0GCSqGSIb3DQEBAQUA
+A4IBDwAwggEKAoIBAQCh9zduMpOqWDPfx5vHSBoWDwk44cc8XdFCD7nqi9EPHewO
+jAKCVihWKGa3OX6kQ4g6VIE7PCqdvtjq6eJ54FKuJ7FiFQweuaUXlXx5tdiWYfVe
++BV7jaLJGy0iniPgx8Pu9ajQOOINcmLwixYkTe+OBfeMgeivk0+o58/Lmkl2FyAv
+IvGA2Glxf8QtxQwHgtQLU3aHRlgi6YHSIxolvX+CuDvj4xsgLBdCphYkJtUXmaKO
+frQRxnHVxUUptWptqbwJPxrOMnIIdteRnduo+/i0RZ33+tC5W61Cr2uyoDGUzmKE
+HKgfTMxLeqJLtm+sB74xmI3Fsnq3qfWajZLqUyz5AgMBAAGjUzBRMB0GA1UdDgQW
+BBROeSN15J2wAW9OMZAdPIz84DEOsjAfBgNVHSMEGDAWgBROeSN15J2wAW9OMZAd
+PIz84DEOsjAPBgNVHRMBAf8EBTADAQH/MA0GCSqGSIb3DQEBCwUAA4IBAQASo38W
+sqw8vijAs3DSYUCjFjlAvlwjsXU0y4IpelmgYSWD0Lqfb9/5jEu06F8hzLMSzmAL
+4UKIX6TwtLQb3HLvYObbjhaSSYG0Tl702dANW499QlHF/gYsCb9C6oA+5jzfHd7Y
+LS8bUv6gZkC3rP1E0kCGLJGrtvdMniAPuZ8W25SFedpR0iR7+d+lg9oOBsgjkWGc
+eKNtSJvic5dyZQCDlEzXVa3lyBOrawW9J/Sqhm0v3Tar1CVKoeXU3QV/bx7s8TWH
+YvaxQ82dOsGwZDMmPHhnJQDIQqjt2H9RJjrJy440RwyLiDr1A3/AJxrqpz98QONG
+FOhuJQXDH3YGDP7B
+-----END CERTIFICATE-----

src/test/docker/grouper/config/grouper-ui.properties.cas

@@ -0,0 +1,7 @@
+grouper.is.extAuth.enabled = true
+external.authentication.grouperContextUrl = https://grouper-ui.unicon.local/grouper
+
+# Note for CAS: you'll need to make sure that the CAS server SSL certificate is available in the trust store
+external.authentication.provider = cas
+external.authentication.cas.prefixUrl = https://idp.unicon.local/idp/profile/cas
+external.authentication.cas.protocol = CAS20

src/test/docker/grouper/config/grouper-ui.properties.oidc

@@ -0,0 +1,8 @@
+grouper.is.extAuth.enabled = true
+external.authentication.grouperContextUrl = https://grouper-ui.unicon.local/grouper
+
+external.authentication.provider = oidc
+external.authentication.oidc.clientId = grouper
+external.authentication.oidc.discoveryURI = https://idp.unicon.local/idp/profile/oidc/configuration
+external.authentication.oidc.secret = thisisverysecret
+external.authentication.oidc.claimAsUsername = preferred_username

src/test/docker/grouper/config/grouper-ui.properties.saml

@@ -0,0 +1,12 @@
+grouper.is.extAuth.enabled = true
+external.authentication.grouperContextUrl = https://grouper-ui.unicon.local/grouper
+
+external.authentication.provider = saml
+external.authentication.saml.identityProviderEntityId = https://idp.unicon.local/idp/shibboleth
+external.authentication.saml.serviceProviderEntityId = http://localhost:8080/grouper
+external.authentication.saml.serviceProviderMetadataPath = file:/opt/grouper/sp-metadata.xml
+external.authentication.saml.identityProviderMetadataPath = file:/opt/grouper/idp-metadata.xml
+external.authentication.saml.keystorePath = file:/opt/grouper/here.key
+external.authentication.saml.keystorePassword = testme
+external.authentication.saml.privateKeyPassword = testme
+external.authentication.saml.attributeAsId = urn:oid:0.9.2342.19200300.100.1.1

src/test/docker/shibboleth-idp/Dockerfile

@@ -1,42 +1,61 @@
-FROM amazoncorretto:17 as install
-
-ARG TOMCAT_VERSION=10.1.15
-
-COPY keys/* /tmp/keys/
-
-RUN yum install -y tar gzip
-
-RUN gpg --import /tmp/keys/TOMCAT_PGP_KEYS
-
-RUN curl -L https://archive.apache.org/dist/tomcat/tomcat-10/v$TOMCAT_VERSION/bin/apache-tomcat-$TOMCAT_VERSION.tar.gz -o apache-tomcat-$TOMCAT_VERSION.tar.gz \
-    && curl https://archive.apache.org/dist/tomcat/tomcat-10/v$TOMCAT_VERSION/bin/apache-tomcat-$TOMCAT_VERSION.tar.gz.asc -o apache-tomcat-$TOMCAT_VERSION.tar.gz.asc \
-    && gpg --verify apache-tomcat-$TOMCAT_VERSION.tar.gz.asc apache-tomcat-$TOMCAT_VERSION.tar.gz \
-    && tar -zxvf apache-tomcat-$TOMCAT_VERSION.tar.gz -C /opt \
-    && rm apache-tomcat-$TOMCAT_VERSION.tar.gz \
-    && mv /opt/apache-tomcat-$TOMCAT_VERSION/ /opt/tomcat \
-    && rm -rf /opt/tomcat/webapps/*
-
-FROM amazoncorretto:17 as shib-setup
-
-RUN yum install -y dos2unix
-
-COPY opt-shibboleth-idp /opt/shibboleth-idp/
-
-RUN dos2unix /opt/shibboleth-idp/bin/*.sh \
-    && chmod +x /opt/shibboleth-idp/bin/*.sh
-
-FROM amazoncorretto:17 as prod
-
-COPY --from=install /opt/tomcat /opt/tomcat/
-
-COPY --from=shib-setup /opt/shibboleth-idp /opt/shibboleth-idp/
-
-COPY tomcat/idp.xml /opt/tomcat/conf/Catalina/localhost/
-COPY tomcat/server.xml /opt/tomcat/conf/
-COPY tomcat/setenv.sh /opt/tomcat/bin/
-
-ENTRYPOINT /opt/shibboleth-idp/bin/build.sh && /opt/tomcat/bin/catalina.sh run
-
-FROM prod as dev
-
-FROM prod
+FROM tier/shib-idp:4.3.1_20231218
+
+WORKDIR /opt/shibboleth-idp
+
+COPY plugin-truststore/net.shibboleth.oidc.common/truststore.asc /opt/shibboleth-idp/credentials/net.shibboleth.oidc.common/
+COPY plugin-truststore/net.shibboleth.idp.plugin.oidc.config/truststore.asc /opt/shibboleth-idp/credentials/net.shibboleth.idp.plugin.oidc.config/
+COPY plugin-truststore/net.shibboleth.idp.plugin.oidc.op/truststore.asc /opt/shibboleth-idp/credentials/net.shibboleth.idp.plugin.oidc.op/
+
+RUN bin/plugin.sh --noPrompt -I net.shibboleth.oidc.common \
+    && bin/plugin.sh --noPrompt -I net.shibboleth.idp.plugin.oidc.config \
+    && bin/plugin.sh --noPrompt -I net.shibboleth.idp.plugin.oidc.op
+
+COPY tomcat/server.xml /usr/local/tomcat/conf/
+
+COPY opt-shibboleth-idp/ /opt/shibboleth-idp/
+
+EXPOSE 8080
+
+
+#FROM amazoncorretto:17 as install
+#
+#ARG TOMCAT_VERSION=10.1.15
+#
+#COPY keys/* /tmp/keys/
+#
+#RUN yum install -y tar gzip
+#
+#RUN gpg --import /tmp/keys/TOMCAT_PGP_KEYS
+#
+#RUN curl -L https://archive.apache.org/dist/tomcat/tomcat-10/v$TOMCAT_VERSION/bin/apache-tomcat-$TOMCAT_VERSION.tar.gz -o apache-tomcat-$TOMCAT_VERSION.tar.gz \
+#    && curl https://archive.apache.org/dist/tomcat/tomcat-10/v$TOMCAT_VERSION/bin/apache-tomcat-$TOMCAT_VERSION.tar.gz.asc -o apache-tomcat-$TOMCAT_VERSION.tar.gz.asc \
+#    && gpg --verify apache-tomcat-$TOMCAT_VERSION.tar.gz.asc apache-tomcat-$TOMCAT_VERSION.tar.gz \
+#    && tar -zxvf apache-tomcat-$TOMCAT_VERSION.tar.gz -C /opt \
+#    && rm apache-tomcat-$TOMCAT_VERSION.tar.gz \
+#    && mv /opt/apache-tomcat-$TOMCAT_VERSION/ /opt/tomcat \
+#    && rm -rf /opt/tomcat/webapps/*
+#
+#FROM amazoncorretto:17 as shib-setup
+#
+#RUN yum install -y dos2unix
+#
+#COPY opt-shibboleth-idp /opt/shibboleth-idp/
+#
+#RUN dos2unix /opt/shibboleth-idp/bin/*.sh \
+#    && chmod +x /opt/shibboleth-idp/bin/*.sh
+#
+#FROM amazoncorretto:17 as prod
+#
+#COPY --from=install /opt/tomcat /opt/tomcat/
+#
+#COPY --from=shib-setup /opt/shibboleth-idp /opt/shibboleth-idp/
+#
+#COPY tomcat/idp.xml /opt/tomcat/conf/Catalina/localhost/
+#COPY tomcat/server.xml /opt/tomcat/conf/
+#COPY tomcat/setenv.sh /opt/tomcat/bin/
+#
+#ENTRYPOINT /opt/shibboleth-idp/bin/build.sh && /opt/tomcat/bin/catalina.sh run
+#
+#FROM prod as dev
+#
+#FROM prod