Make changes for spring 2022.

Change class password, AMIs for VMs and docker version in group_vars/all.yml. Upgrade to shib-idp 4.1.x and upgrade slapd on idp node Add new directory named views and associated directory structure and files to comply with upgrade to shib-idp 4.1.x Add changes to idp playbook to copy the views directory and assocated directory structure/files to proper places on VMs Change compose file forr idp node to mount the new view directory Change idp.properties to work with shib-idp 4.1.x upgrade versions of mariadb, comanage_registry, comanage_registry_cron and slapd on training nodes Add a new crontab to run specific and queued jobs for COs 2-5 (in case students create multiple COs while experimenting Change to new csv format for the hr.scsv and registrar.csv org identity source files change main playbook to copy crontab to the right place
satkinson · Mar 29, 2022 · dcb1c2b · dcb1c2b
1 parent 820e972
commit dcb1c2b
Show file tree

Hide file tree

Showing 22 changed files with 1,272 additions and 152 deletions.
diff --git a/group_vars/all.yml b/group_vars/all.yml
@@ -5,11 +5,11 @@
 # ansible-vault encrypt_string 'THE_PASSWORD' --name 'comanage_training_password'
 comanage_training_password: !vault |
           $ANSIBLE_VAULT;1.1;AES256
-          32313732343132636531663538353439663964333130616633663761313336636663323938396566
-          6539353462616330626235646530626662333630613635340a323230333133326232326630396263
-          64383336316234656364666630396362313563346364383735303131323266326465623531373637
-          3138373937323761360a323138383436353439633031306438373766303763643630643263356530
-          3638
+          32633234306463303963343034356533353265666533623339646461613233366265303632343131
+          3234303062643464383363656335383966343932303631330a383231626666326366613236633338
+          30396135396232653961653266393862656332633630616233386633396262626461613237306163
+          6537633933333430640a303736336438363439336634626562633732643032653862653130373764
+          3966
 
 # It should not be necessary to change the password salt.
 comanage_training_password_salt: !vault |
@@ -50,15 +50,15 @@ vpc_availability_zone:
 
 ssh_bastion_instance_type: t2.nano
 # Most current Debian AMD x86_64, see https://wiki.debian.org/Cloud/AmazonEC2Image/
-ssh_bastion_ami_id: ami-07fd151b9eb3b7264
+ssh_bastion_ami_id: ami-0d0d8694ba492c02b
 ssh_bastion_user: admin
 ssh_bastion_device_name: /dev/xvda
 ssh_bastion_volume_type: gp2
 ssh_bastion_volume_size: 10
 
 idp_node_instance_type: t2.small
 # Most current Debian AMD x86_64, see https://wiki.debian.org/Cloud/AmazonEC2Image/
-idp_node_ami_id: ami-07fd151b9eb3b7264
+idp_node_ami_id: ami-0d0d8694ba492c02b
 idp_node_user: admin
 idp_node_device_name: /dev/xvda
 idp_node_volume_type: gp2
@@ -68,15 +68,15 @@ training_node_count: 2
 
 training_node_instance_type: t2.small
 # Most current Debian AMD x86_64, see https://wiki.debian.org/Cloud/AmazonEC2Image/
-training_node_ami_id: ami-07fd151b9eb3b7264 
+training_node_ami_id: ami-0d0d8694ba492c02b
 training_node_user: admin
 training_node_device_name: /dev/xvda
 training_node_volume_type: gp2
 training_node_volume_size: 20
 
 # Docker version
-docker_ce_package_version: "5:20.10.9~3-0~debian-bullseye"
-docker_ce_cli_package_version: "5:20.10.9~3-0~debian-bullseye"
-containerd_io_package_version: "1.4.11-1"
+docker_ce_package_version: "5:20.10.12~3-0~debian-bullseye"
+docker_ce_cli_package_version: "5:20.10.12~3-0~debian-bullseye"
+containerd_io_package_version: "1.4.12-1"
 
 
diff --git a/roles/idp/files/shibboleth-idp-stack.yml b/roles/idp/files/shibboleth-idp-stack.yml
@@ -2,7 +2,7 @@ version: '3.7'
 
 services:
     shibboleth-idp:
-        image: i2incommon/shib-idp:4.0.1_20210302
+        image: i2incommon/shib-idp:4.1.5_20220119
         volumes:
             - /srv/docker/usr/local/tomcat/conf/server.xml:/usr/local/tomcat/conf/server.xml
             - /srv/docker/opt/shibboleth-idp/conf/idp.properties:/opt/shibboleth-idp/conf/idp.properties
@@ -18,6 +18,7 @@ services:
             - /srv/docker/opt/shibboleth-idp/credentials/sealer.jks:/opt/shibboleth-idp/credentials/sealer.jks
             - /srv/docker/opt/shibboleth-idp/credentials/secrets.properties:/opt/shibboleth-idp/credentials/secrets.properties
             - /srv/docker/opt/shibboleth-idp/metadata/registry-metadata.xml:/opt/shibboleth-idp/metadata/registry-metadata.xml
+            - /srv/docker/opt/shibboleth-idp/views:/opt/shibboleth-idp/views
         # Sleep for 10 seconds to give time for LDAP to come up and then start the IdP.
         entrypoint: 
             - "/usr/bin/bash"
@@ -35,7 +36,7 @@ services:
                 tag: "shibboleth-idp_{{.Name}}"
 
     ldap:
-        image: sphericalcowgroup/comanage-registry-slapd:4
+        image: sphericalcowgroup/comanage-registry-slapd:8
         command: ["slapd", "-d", "256", "-h", "ldapi:/// ldap:///", "-u", "openldap", "-g", "openldap"]
         volumes:
             - /srv/docker/var/lib/ldap:/var/lib/ldap

diff --git a/roles/idp/files/views/admin/hello.vm b/roles/idp/files/views/admin/hello.vm
@@ -0,0 +1,73 @@
+##
+## Velocity Template for Hello World page.
+##
+## Velocity context will contain the following properties
+## flowRequestContext - the Spring Web Flow RequestContext
+## encoder - HTMLEncoder class
+## request - HttpServletRequest
+## response - HttpServletResponse
+## profileRequestContext - root of context tree
+## subjectContext - ProfileRequestContext -> SubjectContext
+## attributeContext - ProfileRequestContext -> AttributeContext
+## environment - Spring Environment object for property resolution
+## custom - arbitrary object injected by deployer
+##
+<!DOCTYPE html>
+<html>
+  <head>
+    <meta charset="utf-8">
+    <meta name="viewport" content="width=device-width,initial-scale=1.0">
+    <title>#springMessageText("idp.title", "Web Login Service") - #springMessageText("hello-world.title", "Hello World")</title>
+    <link rel="stylesheet" type="text/css" href="$request.getContextPath()/css/main.css">
+  </head>
+
+  <body>
+    <div class="wrapper">
+      <div class="container" style="width: 100%">
+        <header>
+          <img src="$request.getContextPath()#springMessage("idp.logo")" alt="#springMessageText("idp.logo.alt-text", "logo")">
+          <h3>#springMessageText("idp.title", "Web Login Service")</h3>
+        </header>
+
+        <div class="content">
+          <h4>#springMessageText("hello-world.greeting", "Greetings"), <em>$encoder.encodeForHTML($subjectContext.getPrincipalName())</em></h4>
+          <br/>
+          <h4>Authenticated By</h4>
+          #foreach ($result in $subjectContext.getAuthenticationResults().entrySet())
+            <blockquote>$encoder.encodeForHTML($result.getKey())</blockquote>
+          #end
+          <br/>
+          <h4>Java Principals in Subjects</h4>
+          #foreach ($s in $subjectContext.getSubjects())
+            #foreach ($p in $s.getPrincipals())
+              <blockquote>$encoder.encodeForHTML($p)<blockquote>
+            #end
+          #end
+          #if ($attributeContext && !$attributeContext.getUnfilteredIdPAttributes().isEmpty())
+            <br/>
+            <h4>Attributes:</h4>
+            #foreach ($a in $attributeContext.getUnfilteredIdPAttributes())
+              #if (!$a.getValues().isEmpty())
+                <br/>
+                <h5>$encoder.encodeForHTML($a.getId())</h5>
+                  #foreach ($v in $a.getValues())
+                    <blockquote>$encoder.encodeForHTML($v.getDisplayValue())</blockquote>
+                  #end
+              #end
+            #end
+          #end
+        </div>
+
+        <header>
+          <h3><a href="$request.getContextPath()/profile/admin/hello">#springMessageText("hello-world.reload", "Reload the Page")</a></h3>
+        </header>
+      </div>
+
+      <footer>
+        <div class="container container-footer">
+          <p class="footer-text">#springMessageText("idp.footer", "Insert your footer text here.")</p>
+        </div>
+      </footer>
+    </div>
+  </body>
+</html>
diff --git a/roles/idp/files/views/client-storage/client-storage-read.vm b/roles/idp/files/views/client-storage/client-storage-read.vm
@@ -0,0 +1,53 @@
+##
+## Velocity template to read from local storage.
+##
+## Velocity context will contain the following properties
+## flowExecutionUrl - the form action location
+## flowRequestContext - the Spring Web Flow RequestContext
+## flowExecutionKey - the SWF execution key (this is built into the flowExecutionUrl)
+## profileRequestContext - root of context tree
+## loadContext - context with details about the storage keys to load
+## encoder - HTMLEncoder class
+## request - HttpServletRequest
+## response - HttpServletResponse
+## environment - Spring Environment object for property resolution
+#set ($title = $springMacroRequestContext.getMessage("idp.title", "Web Login Service"))
+#set ($titleSuffix = $springMacroRequestContext.getMessage("idp.client-storage-read.suffix", "Loading Session Information"))
+##
+<!DOCTYPE html>
+<html>
+    <head>
+        <meta charset="utf-8" />
+        <meta name="viewport" content="width=device-width,initial-scale=1.0">
+        <title>$title - $titleSuffix</title>
+        <link rel="stylesheet" type="text/css" href="$request.getContextPath()/css/main.css">
+        <script>
+        <!--
+        #include( "client-storage/local-storage-read.js" )
+        // -->
+        </script>
+    </head>
+    <body onload="doLoad()">
+        <div class="wrapper">
+            <div class="container">
+                <header>
+                    <h3>$title - $titleSuffix</h3>
+                </header>
+                <div class="content">
+                $springMacroRequestContext.getMessage("idp.client-storage-read.text", "Loading login session information from the browser...")
+                </div>
+                <noscript>
+                    <div class="content">
+                    $springMacroRequestContext.getMessage("idp.client-storage.no-js", "Since your browser does not support JavaScript, you must press the Continue button once to proceed.")
+                    </div>
+                </noscript>
+                #parse( "client-storage/read.vm" )
+            </div>
+            <footer>
+                <div class="container container-footer">
+                    <p class="footer-text">#springMessageText("idp.footer", "Insert your footer text here.")</p>
+                </div>
+            </footer>
+        </div>
+    </body>
+</html>
diff --git a/roles/idp/files/views/client-storage/client-storage-write.vm b/roles/idp/files/views/client-storage/client-storage-write.vm
@@ -0,0 +1,53 @@
+##
+## Velocity template to write to local storage.
+##
+## Velocity context will contain the following properties
+## flowExecutionUrl - the form action location
+## flowRequestContext - the Spring Web Flow RequestContext
+## flowExecutionKey - the SWF execution key (this is built into the flowExecutionUrl)
+## profileRequestContext - root of context tree
+## saveContext - context with details about the storage data to save
+## encoder - HTMLEncoder class
+## request - HttpServletRequest
+## response - HttpServletResponse
+## environment - Spring Environment object for property resolution
+#set ($title = $springMacroRequestContext.getMessage("idp.title", "Web Login Service"))
+#set ($titleSuffix = $springMacroRequestContext.getMessage("idp.client-storage-write.suffix", "Saving Session Information..."))
+##
+<!DOCTYPE html>
+<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en">
+    <head>
+        <meta charset="utf-8" />
+        <meta name="viewport" content="width=device-width,initial-scale=1.0">
+        <title>$title - $titleSuffix</title>
+        <link rel="stylesheet" type="text/css" href="$request.getContextPath()/css/main.css">
+        <script>
+        <!--
+        #include( "client-storage/local-storage-write.js" )
+        // -->
+        </script>
+    </head>
+    <body onload="doSave()">
+        <div class="wrapper">
+            <div class="container">
+                <header>
+                    <h3>$title - $titleSuffix</h3>
+                </header>
+                <div class="content">
+                $springMacroRequestContext.getMessage("idp.client-storage-write.text", "Saving login session information to the browser...")
+                </div>
+                <noscript>
+                    <div class="content">
+                    $springMacroRequestContext.getMessage("idp.client-storage.no-js", "Since your browser does not support JavaScript, you must press the Continue button once to proceed.")
+                    </div>
+                </noscript>
+                #parse( "client-storage/write.vm" )
+            </div>
+            <footer>
+                <div class="container container-footer">
+                    <p class="footer-text">#springMessageText("idp.footer", "Insert your footer text here.")</p>
+                </div>
+            </footer>
+        </div>
+    </body>
+</html>
diff --git a/roles/idp/files/views/error.vm b/roles/idp/files/views/error.vm
@@ -0,0 +1,75 @@
+##
+## Velocity Template for error end-state
+##
+## Velocity context will contain the following properties
+## flowRequestContext - the Spring Web Flow RequestContext
+## profileRequestContext - root of context tree
+## encoder - HTMLEncoder class
+## request - HttpServletRequest
+## response - HttpServletResponse
+## environment - Spring Environment object for property resolution
+## custom - arbitrary object injected by deployer
+##
+#set ($title = $springMacroRequestContext.getMessage("idp.title", "Web Login Service"))
+#set ($defaultTitleSuffix = $springMacroRequestContext.getMessage("idp.title.suffix", "Error"))
+##
+#if ($flowRequestContext)
+	## This handles flow events, the most common case.
+    #set ($eventId = $flowRequestContext.getCurrentEvent().getId())
+    #set ($eventKey = $springMacroRequestContext.getMessage("$eventId", "error"))
+    #set ($titleSuffix = $springMacroRequestContext.getMessage("${eventKey}.title", "$defaultTitleSuffix"))
+    #set ($message = $springMacroRequestContext.getMessage("${eventKey}.message", "$defaultTitleSuffix: $eventId"))
+    #if ($eventId == "AccessDenied" or $eventId == "ContextCheckDenied")
+        $response.setStatus(403)
+    #elseif ($eventId == "AttributeReleaseRejected" || $eventId == "TermsRejected")
+        $response.setStatus(200)
+    #elseif ($eventKey == "unexpected" || $eventKey == "runtime-error" || $eventKey == "error")
+        $response.setStatus(500)
+    #else
+        $response.setStatus(400)
+    #end
+#elseif ($exception)
+	## This handles exceptions that reach the Spring-MVC exception handler.
+    #set ($eventId = $exception.getClass().getSimpleName())
+    #set ($eventKey = $springMacroRequestContext.getMessage("$eventId", "error"))
+    #set ($titleSuffix = $springMacroRequestContext.getMessage("${eventKey}.title", "$defaultTitleSuffix"))
+    #set ($message = $springMacroRequestContext.getMessage("${eventKey}.message", "$defaultTitleSuffix: $eventId"))
+    $response.setStatus(500)
+#else
+	## This is a catch-all that theoretically shouldn't happen?
+    #set ($titleSuffix = $defaultTitleSuffix)
+    #set ($message = $springMacroRequestContext.getMessage("idp.message", "An unidentified error occurred."))
+    $response.setStatus(500)
+#end
+##
+<!DOCTYPE html>
+<html>
+    <head>
+        <meta charset="utf-8">
+        <meta name="viewport" content="width=device-width,initial-scale=1.0">
+        <title>$title - $titleSuffix</title>
+        <link rel="stylesheet" type="text/css" href="$request.getContextPath()/css/main.css">
+    </head>
+
+    <body>
+    <div class="wrapper">
+    	<div class="container">
+        	<header>
+				<img src="$request.getContextPath()#springMessage("idp.logo")" alt="#springMessageText("idp.logo.alt-text", "logo")">
+				<h3>$title - $titleSuffix</h3>
+			</header>
+
+        	<div class="content">
+            #evaluate($message)
+            </div>
+    	</div>
+
+      	<footer>
+        	<div class="container container-footer">
+          		<p class="footer-text">#springMessageText("idp.footer", "Insert your footer text here.")</p>
+        	</div>
+      	</footer>
+
+    </div>
+    </body>
+</html>