From 649c63a86c60a8c87a2b96c8d99b30e60c7f23a9 Mon Sep 17 00:00:00 2001
From: bourasom <obouras@exoplatform.com>
Date: Fri, 27 Dec 2019 16:10:41 +0100
Subject: [PATCH 1/2] ITOP-4284: init lemonldap integration

---
 _functions.sh                     |  18 ++++-
 _functions_lemonldap.sh           | 116 ++++++++++++++++++++++++++++++
 _functions_tomcat.sh              |  12 ++++
 etc/adt/config.template           |   2 +
 etc/gatein/jbid_test_keystore.jks | Bin 0 -> 1276 bytes
 etc/gatein/picketlink-sp.xml      |  30 ++++++++
 6 files changed, 176 insertions(+), 2 deletions(-)
 create mode 100644 _functions_lemonldap.sh
 create mode 100644 etc/gatein/jbid_test_keystore.jks
 create mode 100644 etc/gatein/picketlink-sp.xml

diff --git a/_functions.sh b/_functions.sh
index 1f0be30a..b4886c64 100755
--- a/_functions.sh
+++ b/_functions.sh
@@ -31,6 +31,7 @@ source "${SCRIPT_DIR}/_functions_es.sh"
 source "${SCRIPT_DIR}/_functions_chat.sh"
 source "${SCRIPT_DIR}/_functions_onlyoffice.sh"
 source "${SCRIPT_DIR}/_functions_ldap.sh"
+source "${SCRIPT_DIR}/_functions_lemonldap.sh"
 source "${SCRIPT_DIR}/_functions_cmis.sh"
 
 # #################################################################################
@@ -268,7 +269,8 @@ initialize_product_settings() {
       env_var "DEPLOYMENT_ONLYOFFICE_DOCUMENTSERVER_ENABLED" false
       configurable_env_var "DEPLOYMENT_ONLYOFFICE_IMAGE" "onlyoffice/documentserver-ie"
       configurable_env_var "DEPLOYMENT_ONLYOFFICE_SECRET" ""
-
+      configurable_env_var "DEPLOYMENT_SAML_ENABLED" false
+      configurable_env_var "DEPLOYMENT_LEMONLDAP_ENABLED" false
       configurable_env_var "DEPLOYMENT_LDAP_ENABLED" false
       configurable_env_var "DEPLOYMENT_LDAP_IMAGE" "dinkel/openldap"
       configurable_env_var "DEPLOYMENT_LDAP_IMAGE_VERSION" "latest"
@@ -279,7 +281,9 @@ initialize_product_settings() {
       configurable_env_var "USER_DIRECTORY_BASE_DN" "dc=exoplatform,dc=com"
       configurable_env_var "USER_DIRECTORY_ADMIN_DN" "cn=admin,dc=exoplatform,dc=com"
       configurable_env_var "USER_DIRECTORY_ADMIN_PASSWORD" "exo"
-
+      # LEMONLDAP CONF
+      configurable_env_var "DEPLOYMENT_LEMONLDAP_IMAGE" "coudot/lemonldap-ng"
+      configurable_env_var "DEPLOYMENT_LEMONLDAP_IMAGE_VERSION" "2.0.6"
       if [[ "$DEPLOYMENT_ADDONS" =~ "exo-onlyoffice" ]]; then
         env_var "DEPLOYMENT_ONLYOFFICE_DOCUMENTSERVER_ENABLED" true
       fi
@@ -370,7 +374,13 @@ initialize_product_settings() {
       env_var "LDAP_GATEIN_PATCH_PRODUCT_NAME" "${PRODUCT_NAME}"
       env_var "SET_ENV_PRODUCT_NAME" "${PRODUCT_NAME}"
       env_var "STANDALONE_PRODUCT_NAME" "${PRODUCT_NAME}"
+      env_var "DEPLOYMENT_SAML_ENABLED" "$DEPLOYMENT_SAML_ENABLED"
 
+      # ACTIVATE SAML CONF
+      if $DEPLOYMENT_SAML_ENABLED ; then
+        env_var DEPLOYMENT_LEMONLDAP_ENABLED "true"
+        env_var DEPLOYMENT_LDAP_ENABLED "true"
+      fi
       # Validate product and load artifact details
       # Be careful, this id should be no longer than 10 (because of mysql user name limit)
       case "${PRODUCT_NAME}" in
@@ -882,6 +892,7 @@ initialize_product_settings() {
    do_get_cmis_settings
    do_get_onlyoffice_settings
    do_get_ldap_settings
+   do_get_lemonldap_settings
    do_get_database_settings
    do_get_es_settings
    do_get_chat_settings
@@ -1404,6 +1415,7 @@ do_start() {
 
   do_start_onlyoffice
   do_start_ldap
+  do_start_lemonldap
   do_start_cmis
   do_start_database
   do_start_es
@@ -1617,6 +1629,7 @@ do_stop() {
       esac
       echo_info "Server stopped."
       do_stop_ldap
+      do_stop_lemonldap
       do_stop_onlyoffice
       do_stop_cmis
       do_stop_database
@@ -1651,6 +1664,7 @@ do_undeploy() {
     fi
     do_drop_onlyoffice_data
     do_drop_ldap_data
+    do_drop_lemonldap_data
     do_drop_cmis_data
     do_drop_chat
     do_drop_es_data
diff --git a/_functions_lemonldap.sh b/_functions_lemonldap.sh
new file mode 100644
index 00000000..4c28b547
--- /dev/null
+++ b/_functions_lemonldap.sh
@@ -0,0 +1,116 @@
+#!/bin/bash -eu
+
+# Don't load it several times
+set +u
+${_FUNCTIONS_LEMONLDAP_LOADED:-false} && return
+set -u
+
+# if the script was started from the base directory, then the
+# expansion returns a period
+if test "${SCRIPT_DIR}" == "."; then
+  SCRIPT_DIR="$PWD"
+  # if the script was not called with an absolute path, then we need to add the
+  # current working directory to the relative path of the script
+elif test "${SCRIPT_DIR:0:1}" != "/"; then
+  SCRIPT_DIR="$PWD/${SCRIPT_DIR}"
+fi
+
+do_get_lemonldap_settings() {  
+  if [ "${DEPLOYMENT_LEMONLDAP_ENABLED}" == "false" ]; then
+    return;
+  fi
+  env_var DEPLOYMENT_LEMONLDAP_CONTAINER_NAME "${INSTANCE_KEY}_lemonldap"
+}
+
+#
+# Drops all LemonLdap data used by the instance.
+#
+do_drop_lemonldap_data() {
+  echo_info "Dropping lemonldap data ..."
+  if [ "${DEPLOYMENT_LEMONLDAP_ENABLED}" == "true" ]; then
+    echo_info "Drops Lemonldap container ${DEPLOYMENT_LEMONLDAP_CONTAINER_NAME} ..."
+    delete_docker_container ${DEPLOYMENT_LEMONLDAP_CONTAINER_NAME}
+    echo_info "Done."
+    echo_info "Lemonldap data dropped"
+  else
+    echo_info "Skip Drops Lemonldap container ..."
+  fi
+}
+
+do_stop_lemonldap() {
+  echo_info "Stopping Lemonldap ..."
+  if [ "${DEPLOYMENT_LEMONLDAP_ENABLED}" == "false" ]; then
+    echo_info "Lemonldap wasn't specified, skiping its server container shutdown"
+    return
+  fi
+  ensure_docker_container_stopped ${DEPLOYMENT_LEMONLDAP_CONTAINER_NAME}
+  echo_info "Lemonldap container ${DEPLOYMENT_LEMONLDAP_CONTAINER_NAME} stopped."
+}
+
+do_start_lemonldap() {
+  echo_info "Starting Ldap..."
+  if [ "${DEPLOYMENT_LEMONLDAP_ENABLED}" == "false" ]; then
+    echo_info "Lemonldap not specified, skiping its server container startup"
+    return
+  fi
+
+  echo_info "Starting Lemonldap container ${DEPLOYMENT_LEMONLDAP_CONTAINER_NAME} based on image ${DEPLOYMENT_LEMONLDAP_IMAGE}:${DEPLOYMENT_LEMONLDAP_IMAGE_VERSION}"
+
+  # Ensure there is no container with the same name
+  delete_docker_container ${DEPLOYMENT_LEMONLDAP_CONTAINER_NAME}
+
+  ${DOCKER_CMD} run \
+    -d \    
+    -e SSODOMAIN="${DEPLOYMENT_EXT_HOST}"  \
+    -e PORTAL_HOSTNAME="auth.${DEPLOYMENT_EXT_HOST}"  \
+    -e MANAGER_HOSTNAME="manager.${DEPLOYMENT_EXT_HOST}"  \
+    -e HANDLER_HOSTNAME="handler.${DEPLOYMENT_EXT_HOST}"  \
+    -e TEST1_HOSTNAME="exo.${DEPLOYMENT_EXT_HOST}"  \
+    -e LOGLEVEL="debug"  \
+    -e FASTCGI_LISTEN_PORT=""  \    
+    --name ${DEPLOYMENT_LEMONLDAP_CONTAINER_NAME} ${DEPLOYMENT_LEMONLDAP_IMAGE}:${DEPLOYMENT_LEMONLDAP_IMAGE_VERSION}
+
+  evaluate_file_content ${ETC_DIR}/lemonldap/conf/config.json.template ${DEPLOYMENT_DIR}/temp/configlemon.json
+
+# Import lemon ldap configuration
+cat ${DEPLOYMENT_DIR}/temp/configlemon.json | ${DOCKER_CMD} exec -T ${DEPLOYMENT_LEMONLDAP_CONTAINER_NAME} /usr/share/lemonldap-ng/bin/lemonldap-ng-cli restore -
+
+# restart lemon to be sure the configuration is uptodate
+${DOCKER_CMD} restart --no-deps ${DEPLOYMENT_LEMONLDAP_CONTAINER_NAME}
+
+  echo_info "${DEPLOYMENT_LEMONLDAP_CONTAINER_NAME} container started"  
+
+  check_lemonldap_availability
+}
+
+check_lemonldap_availability() {
+  echo_info "Waiting for Lemonldap availability on port ${DEPLOYMENT_LEMONLDAP_PORT}"
+  local count=0
+  local try=600
+  local wait_time=1
+  local RET=-1
+
+  #while [ $count -lt $try -a $RET -ne 0 ]; do
+  #  count=$(( $count + 1 ))
+ #   set +e
+#
+  #  curl -s -q --max-time ${wait_time} ldap://localhost:${DEPLOYMENT_LDAP_PORT}  > /dev/null
+  #  RET=$?
+  #  if [ $RET -ne 0 ]; then
+  #    [ $(( ${count} % 10 )) -eq 0 ] && echo_info "Lemonldap not yet available (${count} / ${try})..."    
+  #    echo -n "."
+  #    sleep $wait_time
+  #  fi
+  #  set -e
+  #done
+  #if [ $count -eq $try ]; then
+  #  echo_error "Ldap ${DEPLOYMENT_LEMONLDAP_CONTAINER_NAME} not available after $(( ${count} * ${wait_time}))s"
+  #  exit 1
+  #fi
+  echo_info "LemonLdap ${DEPLOYMENT_LEMONLDAP_CONTAINER_NAME} up and available"
+}
+
+# #############################################################################
+# Env var to not load it several times
+_FUNCTIONS_LEMONLDAP_LOADED=true
+echo_debug "_function_lemonldap.sh Loaded"
diff --git a/_functions_tomcat.sh b/_functions_tomcat.sh
index 54a1048e..8e757cd0 100755
--- a/_functions_tomcat.sh
+++ b/_functions_tomcat.sh
@@ -161,6 +161,17 @@ do_configure_tomcat_ldap() {
   fi
 }
 
+do_configure_tomcat_lemonldap() {  
+  if [ "${DEPLOYMENT_LEMONLDAP_ENABLED}" == "true" ]; then
+    echo_info "Start Deploying Directory lemonldap conf ..."      
+    mkdir -p ${DEPLOYMENT_DIR}/gatein/conf/
+    cp ${ETC_DIR}/gatein/picketlink-sp.xml ${DEPLOYMENT_DIR}/gatein/conf/picketlink-sp.xml
+    #TODO: generate valide key and add it to lemonldap json
+    cp ${ETC_DIR}/gatein/jbid_test_keystore.jks ${DEPLOYMENT_DIR}/gatein/conf/jbid_test_keystore.jks
+    echo_info "End Deploying Directory lemonldap conf ..."    
+  fi
+}
+
 do_configure_tomcat_datasources() {
 
   case ${DEPLOYMENT_DATABASE_TYPE} in
@@ -351,6 +362,7 @@ do_configure_tomcat_server() {
   do_configure_tomcat_email
   do_configure_tomcat_jod
   do_configure_tomcat_ldap
+  do_configure_tomcat_lemonldap
 
   # Install the addons manager
   # Addon manager is needed to install jdbc driver
diff --git a/etc/adt/config.template b/etc/adt/config.template
index 3135e697..001eff8a 100644
--- a/etc/adt/config.template
+++ b/etc/adt/config.template
@@ -59,6 +59,8 @@ DEPLOYMENT_ES_IMAGE_VERSION=${DEPLOYMENT_ES_IMAGE_VERSION}
 DEPLOYMENT_ES_HEAP=${DEPLOYMENT_ES_HEAP}
 DEPLOYMENT_ONLYOFFICE_HTTP_PORT=${DEPLOYMENT_ONLYOFFICE_HTTP_PORT}
 DEPLOYMENT_ONLYOFFICE_DOCUMENTSERVER_ENABLED=${DEPLOYMENT_ONLYOFFICE_DOCUMENTSERVER_ENABLED}
+DEPLOYMENT_SAML_ENABLED=${DEPLOYMENT_SAML_ENABLED}
+DEPLOYMENT_LEMONLDAP_ENABLED=${DEPLOYMENT_LEMONLDAP_ENABLED}
 DEPLOYMENT_LDAP_ENABLED=${DEPLOYMENT_LDAP_ENABLED}
 DEPLOYMENT_LDAP_PORT=${DEPLOYMENT_LDAP_PORT}
 DEPLOYMENT_AD_HOST=${DEPLOYMENT_AD_HOST}
diff --git a/etc/gatein/jbid_test_keystore.jks b/etc/gatein/jbid_test_keystore.jks
new file mode 100644
index 0000000000000000000000000000000000000000..95c597b5bb75a52663da4fc280a71298f5481d4e
GIT binary patch
literal 1276
zcmezO_TO6u1_mY|W&~rd;?$zD)S~3nq7tBx+->vVJwWN522D&`4fxo&wAmP07`2!L
z85vm_Selp?KA*qi{@0mDQ{JvN7x*AktzyhGB~qe{^L=;U^dO%dlG7e>UrpCmo&K&s
z(VnB}^u*Wc4~{qmmrlRgk{kB;i}d5Ab262rmt_QA%F{H`@?;D1?BBC8t?h@2!r5tm
z;{QI4T5xNb^6$;2zx}n<yIKW~idlY|c$8`S%JXY2KII8MPPxFXn8oMYx8RE1_tPss
zKIWhI(}!#SQiBDPnctgcZD5*gmVa^j(u+C&TiMMUdanw4zU=<wa(+(Rmm6UR6WCJn
zb{Vj+Pt<kQTQS99QaNXsNGn^e#&ecQldsway?P?CV2w=3mgvu-RcBczWQS@U{}Xfn
zrOlE>zy0?;i!jkD40>CWQ2%_@!i~J!J}+fV*NmNaBt7r;%zq23&37qitT>b-k+S8x
z<MxMMw}0NVdz&k#%FcYp_j%9bln)!{=10r*UTjLg$bV*zXaBmR59>cK;bGp*@-q3P
zK?+~-8gs?PU#Gu3$^A-XqulKZsS{y6CqGm#Q$6%ui%B?t_5`W!t9?(GRO_wD<y!L9
zRC=Q0<QolE?G<%>2iI5~POs)LKUDZ+PKM=W+0(MJ*X?v`vv~h8oPDTp`uOtC8#)eq
zT)b-Z{YmkG4ljXa$M+tpDlEAo5_?B`>%zvLy2**Nt3?)lJ@=&6Wr3k3=h;<P+W(x(
zJ(KdVkzHwC;q6Jr>Pwr}-8;7b?27Bz@16TL<Q~{n7klD;%_;5qTmGmnFfH;_aB@5I
z*&tfkqcr0}+_D`F-+oLp%DWuQQ5>^8;{V6=HU5ddHhI_Cf*j|G-Y(m*QT%z3zTwsy
zw$6}~d!Jfoew=-*FK9B~?CHjbdm=(x;*NdcTOGP-?`lVrr@~Ty0%L0!Zhg9;pT;?@
z%W2b%_|`uvB74{jofRxHbk`X-yWL_4sL}j+dZqf3|C#Z%y7QN~UgUoPPSmUsdZq@J
z!1VmXpo#Gd5XUmHc;;sX8St`kYPET^edlFlWMO46a5UsL;ACSCWnmL$3Jo^oGvEPn
zxP)1~obro{VSH{FU&ufJB+o3&nU$28qEM1rTw)+6&TC+4U}$J+Xl80+ViX1Dn!vf#
zu%dB3vb%v9k-4##!Jx5|sj-pa&5Bvpd&DHazfL{+N%xrfX0>YHRF~%r#limed_PqE
zeqVBYr8{H7DOU4YAMSJ2AL&|o!NH_nc5cg;gQ8C=F9`g;cjGW?S2xS&AC5Qn{$Y${
zn|ene@0Qcm>N|Grn&NheEQ&nWW4FIxyI<Hnt6<TFH$9UAt<+CFe?DcK5!WqCwlj;F
zm>C%uk(~z&R%W2Pq7$c2Y3<7EjnNi7^RgzS;O?4kmB}}DzK^+}<7CR3yF*FgEfWi4
z@-p%KNELy3ZL>mmJZSA;opjmt)r}aA^(9m8M!$FdQ7~(X%!G>TkKa^Ym}>Jq;HLU3
z-$hwGH%g|bx3NS@O$qD$oBQabhMM(#{lX6uo-XtVS~vIFslq8U52>Hn#+i3@=KMX9
R|D;qrnc4!^aFqo20swC>AJ6~*

literal 0
HcmV?d00001

diff --git a/etc/gatein/picketlink-sp.xml b/etc/gatein/picketlink-sp.xml
new file mode 100644
index 00000000..309413a5
--- /dev/null
+++ b/etc/gatein/picketlink-sp.xml
@@ -0,0 +1,30 @@
+<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
+  <PicketLinkSP xmlns="urn:picketlink:identity-federation:config:2.1"
+                ServerEnvironment="tomcat" BindingType="POST" SupportsSignatures="true" LogOutPage="/" EnableAudit="true">
+    <IdentityURL>${gatein.sso.idp.url}</IdentityURL>
+    <ServiceURL>${gatein.sso.sp.url}</ServiceURL>
+
+    <!-- WARNING: This bundled keystore is only for testing purposes. You should generate and configure your own keystore!-->
+    <KeyProvider ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager">
+      <Auth Key="KeyStoreURL" Value="${gatein.sso.picketlink.keystore}"/>
+      <Auth Key="KeyStorePass" Value="${gatein.sso.idp.keystorepass}"/>
+      <Auth Key="SigningKeyPass" Value="${gatein.sso.idp.signingkeypass}"/>
+      <Auth Key="SigningKeyAlias" Value="${gatein.sso.idp.alias}"/>
+      <Auth Key="salt" Value="18273645"/>
+      <Auth Key="iterationCount" Value="11"/>
+      <ValidatingAlias Key="${gatein.sso.idp.host}" Value="${gatein.sso.idp.alias}"/>
+    </KeyProvider>
+
+  </PicketLinkSP>
+
+  <Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">
+    <Handler
+        class="org.gatein.sso.agent.saml.PortalSAML2LogOutHandler"/>
+    <Handler
+        class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler">
+        <Option Key="NAMEID_FORMAT" Value="urn:oasis:names:tc:SAML:1.1:nameid-format:persistent"/>
+    </Handler>
+    <Handler
+        class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler"/>
+  </Handlers>
+</PicketLink>

From 4105f182010bd09e7ddcc0b478777bdb678f0259 Mon Sep 17 00:00:00 2001
From: bourasom <obouras@exoplatform.com>
Date: Mon, 13 Jan 2020 14:30:14 +0100
Subject: [PATCH 2/2] ITOP-4284: fix lemonldap docker launch

---
 _functions_lemonldap.sh | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/_functions_lemonldap.sh b/_functions_lemonldap.sh
index 4c28b547..8b15c40a 100644
--- a/_functions_lemonldap.sh
+++ b/_functions_lemonldap.sh
@@ -59,21 +59,25 @@ do_start_lemonldap() {
   # Ensure there is no container with the same name
   delete_docker_container ${DEPLOYMENT_LEMONLDAP_CONTAINER_NAME}
 
+  echo_info "Start command: ${DOCKER_CMD} run -d -e SSODOMAIN=\"${DEPLOYMENT_EXT_HOST}\" -e MANAGER_HOSTNAME=\"manager.${DEPLOYMENT_EXT_HOST}\" -e HANDLER_HOSTNAME=\"handler.${DEPLOYMENT_EXT_HOST}\" -e LOGLEVEL=\"debug\" -e FASTCGI_LISTEN_PORT=\"\" --name ${DEPLOYMENT_LEMONLDAP_CONTAINER_NAME} ${DEPLOYMENT_LEMONLDAP_IMAGE}:${DEPLOYMENT_LEMONLDAP_IMAGE_VERSION}"
+
   ${DOCKER_CMD} run \
-    -d \    
+    -d \
     -e SSODOMAIN="${DEPLOYMENT_EXT_HOST}"  \
     -e PORTAL_HOSTNAME="auth.${DEPLOYMENT_EXT_HOST}"  \
     -e MANAGER_HOSTNAME="manager.${DEPLOYMENT_EXT_HOST}"  \
     -e HANDLER_HOSTNAME="handler.${DEPLOYMENT_EXT_HOST}"  \
     -e TEST1_HOSTNAME="exo.${DEPLOYMENT_EXT_HOST}"  \
     -e LOGLEVEL="debug"  \
-    -e FASTCGI_LISTEN_PORT=""  \    
+    -e FASTCGI_LISTEN_PORT=""  \
     --name ${DEPLOYMENT_LEMONLDAP_CONTAINER_NAME} ${DEPLOYMENT_LEMONLDAP_IMAGE}:${DEPLOYMENT_LEMONLDAP_IMAGE_VERSION}
 
+   echo_info "${DEPLOYMENT_LEMONLDAP_CONTAINER_NAME} container started"
+
   evaluate_file_content ${ETC_DIR}/lemonldap/conf/config.json.template ${DEPLOYMENT_DIR}/temp/configlemon.json
 
 # Import lemon ldap configuration
-cat ${DEPLOYMENT_DIR}/temp/configlemon.json | ${DOCKER_CMD} exec -T ${DEPLOYMENT_LEMONLDAP_CONTAINER_NAME} /usr/share/lemonldap-ng/bin/lemonldap-ng-cli restore -
+cat ${DEPLOYMENT_DIR}/temp/configlemon.json | ${DOCKER_CMD} exec -t ${DEPLOYMENT_LEMONLDAP_CONTAINER_NAME} /usr/share/lemonldap-ng/bin/lemonldap-ng-cli restore -
 
 # restart lemon to be sure the configuration is uptodate
 ${DOCKER_CMD} restart --no-deps ${DEPLOYMENT_LEMONLDAP_CONTAINER_NAME}