ITOP-4284: init lemonldap integration

_functions.sh

@@ -31,6 +31,7 @@ source "${SCRIPT_DIR}/_functions_es.sh"
 source "${SCRIPT_DIR}/_functions_chat.sh"
 source "${SCRIPT_DIR}/_functions_onlyoffice.sh"
 source "${SCRIPT_DIR}/_functions_ldap.sh"
+source "${SCRIPT_DIR}/_functions_lemonldap.sh"
 source "${SCRIPT_DIR}/_functions_cmis.sh"
 
 # #################################################################################
@@ -268,7 +269,8 @@ initialize_product_settings() {
       env_var "DEPLOYMENT_ONLYOFFICE_DOCUMENTSERVER_ENABLED" false
       configurable_env_var "DEPLOYMENT_ONLYOFFICE_IMAGE" "onlyoffice/documentserver-ie"
       configurable_env_var "DEPLOYMENT_ONLYOFFICE_SECRET" ""
-
+      configurable_env_var "DEPLOYMENT_SAML_ENABLED" false
+      configurable_env_var "DEPLOYMENT_LEMONLDAP_ENABLED" false
       configurable_env_var "DEPLOYMENT_LDAP_ENABLED" false
       configurable_env_var "DEPLOYMENT_LDAP_IMAGE" "dinkel/openldap"
       configurable_env_var "DEPLOYMENT_LDAP_IMAGE_VERSION" "latest"
@@ -279,7 +281,9 @@ initialize_product_settings() {
       configurable_env_var "USER_DIRECTORY_BASE_DN" "dc=exoplatform,dc=com"
       configurable_env_var "USER_DIRECTORY_ADMIN_DN" "cn=admin,dc=exoplatform,dc=com"
       configurable_env_var "USER_DIRECTORY_ADMIN_PASSWORD" "exo"
-
+      # LEMONLDAP CONF
+      configurable_env_var "DEPLOYMENT_LEMONLDAP_IMAGE" "coudot/lemonldap-ng"
+      configurable_env_var "DEPLOYMENT_LEMONLDAP_IMAGE_VERSION" "2.0.6"
       if [[ "$DEPLOYMENT_ADDONS" =~ "exo-onlyoffice" ]]; then
         env_var "DEPLOYMENT_ONLYOFFICE_DOCUMENTSERVER_ENABLED" true
       fi
@@ -370,7 +374,13 @@ initialize_product_settings() {
       env_var "LDAP_GATEIN_PATCH_PRODUCT_NAME" "${PRODUCT_NAME}"
       env_var "SET_ENV_PRODUCT_NAME" "${PRODUCT_NAME}"
       env_var "STANDALONE_PRODUCT_NAME" "${PRODUCT_NAME}"
+      env_var "DEPLOYMENT_SAML_ENABLED" "$DEPLOYMENT_SAML_ENABLED"
 
+      # ACTIVATE SAML CONF
+      if $DEPLOYMENT_SAML_ENABLED ; then
+        env_var DEPLOYMENT_LEMONLDAP_ENABLED "true"
+        env_var DEPLOYMENT_LDAP_ENABLED "true"
+      fi
       # Validate product and load artifact details
       # Be careful, this id should be no longer than 10 (because of mysql user name limit)
       case "${PRODUCT_NAME}" in
@@ -882,6 +892,7 @@ initialize_product_settings() {
    do_get_cmis_settings
    do_get_onlyoffice_settings
    do_get_ldap_settings
+   do_get_lemonldap_settings
    do_get_database_settings
    do_get_es_settings
    do_get_chat_settings
@@ -1404,6 +1415,7 @@ do_start() {
 
   do_start_onlyoffice
   do_start_ldap
+  do_start_lemonldap
   do_start_cmis
   do_start_database
   do_start_es
@@ -1617,6 +1629,7 @@ do_stop() {
       esac
       echo_info "Server stopped."
       do_stop_ldap
+      do_stop_lemonldap
       do_stop_onlyoffice
       do_stop_cmis
       do_stop_database
@@ -1651,6 +1664,7 @@ do_undeploy() {
     fi
     do_drop_onlyoffice_data
     do_drop_ldap_data
+    do_drop_lemonldap_data
     do_drop_cmis_data
     do_drop_chat
     do_drop_es_data

_functions_lemonldap.sh

@@ -0,0 +1,120 @@
+#!/bin/bash -eu
+
+# Don't load it several times
+set +u
+${_FUNCTIONS_LEMONLDAP_LOADED:-false} && return
+set -u
+
+# if the script was started from the base directory, then the
+# expansion returns a period
+if test "${SCRIPT_DIR}" == "."; then
+  SCRIPT_DIR="$PWD"
+  # if the script was not called with an absolute path, then we need to add the
+  # current working directory to the relative path of the script
+elif test "${SCRIPT_DIR:0:1}" != "/"; then
+  SCRIPT_DIR="$PWD/${SCRIPT_DIR}"
+fi
+
+do_get_lemonldap_settings() {  
+  if [ "${DEPLOYMENT_LEMONLDAP_ENABLED}" == "false" ]; then
+    return;
+  fi
+  env_var DEPLOYMENT_LEMONLDAP_CONTAINER_NAME "${INSTANCE_KEY}_lemonldap"
+}
+
+#
+# Drops all LemonLdap data used by the instance.
+#
+do_drop_lemonldap_data() {
+  echo_info "Dropping lemonldap data ..."
+  if [ "${DEPLOYMENT_LEMONLDAP_ENABLED}" == "true" ]; then
+    echo_info "Drops Lemonldap container ${DEPLOYMENT_LEMONLDAP_CONTAINER_NAME} ..."
+    delete_docker_container ${DEPLOYMENT_LEMONLDAP_CONTAINER_NAME}
+    echo_info "Done."
+    echo_info "Lemonldap data dropped"
+  else
+    echo_info "Skip Drops Lemonldap container ..."
+  fi
+}
+
+do_stop_lemonldap() {
+  echo_info "Stopping Lemonldap ..."
+  if [ "${DEPLOYMENT_LEMONLDAP_ENABLED}" == "false" ]; then
+    echo_info "Lemonldap wasn't specified, skiping its server container shutdown"
+    return
+  fi
+  ensure_docker_container_stopped ${DEPLOYMENT_LEMONLDAP_CONTAINER_NAME}
+  echo_info "Lemonldap container ${DEPLOYMENT_LEMONLDAP_CONTAINER_NAME} stopped."
+}
+
+do_start_lemonldap() {
+  echo_info "Starting Ldap..."
+  if [ "${DEPLOYMENT_LEMONLDAP_ENABLED}" == "false" ]; then
+    echo_info "Lemonldap not specified, skiping its server container startup"
+    return
+  fi
+
+  echo_info "Starting Lemonldap container ${DEPLOYMENT_LEMONLDAP_CONTAINER_NAME} based on image ${DEPLOYMENT_LEMONLDAP_IMAGE}:${DEPLOYMENT_LEMONLDAP_IMAGE_VERSION}"
+
+  # Ensure there is no container with the same name
+  delete_docker_container ${DEPLOYMENT_LEMONLDAP_CONTAINER_NAME}
+
+  echo_info "Start command: ${DOCKER_CMD} run -d -e SSODOMAIN=\"${DEPLOYMENT_EXT_HOST}\" -e MANAGER_HOSTNAME=\"manager.${DEPLOYMENT_EXT_HOST}\" -e HANDLER_HOSTNAME=\"handler.${DEPLOYMENT_EXT_HOST}\" -e LOGLEVEL=\"debug\" -e FASTCGI_LISTEN_PORT=\"\" --name ${DEPLOYMENT_LEMONLDAP_CONTAINER_NAME} ${DEPLOYMENT_LEMONLDAP_IMAGE}:${DEPLOYMENT_LEMONLDAP_IMAGE_VERSION}"
+
+  ${DOCKER_CMD} run \
+    -d \
+    -e SSODOMAIN="${DEPLOYMENT_EXT_HOST}"  \
+    -e PORTAL_HOSTNAME="auth.${DEPLOYMENT_EXT_HOST}"  \
+    -e MANAGER_HOSTNAME="manager.${DEPLOYMENT_EXT_HOST}"  \
+    -e HANDLER_HOSTNAME="handler.${DEPLOYMENT_EXT_HOST}"  \
+    -e TEST1_HOSTNAME="exo.${DEPLOYMENT_EXT_HOST}"  \
+    -e LOGLEVEL="debug"  \
+    -e FASTCGI_LISTEN_PORT=""  \
+    --name ${DEPLOYMENT_LEMONLDAP_CONTAINER_NAME} ${DEPLOYMENT_LEMONLDAP_IMAGE}:${DEPLOYMENT_LEMONLDAP_IMAGE_VERSION}
+
+   echo_info "${DEPLOYMENT_LEMONLDAP_CONTAINER_NAME} container started"
+
+  evaluate_file_content ${ETC_DIR}/lemonldap/conf/config.json.template ${DEPLOYMENT_DIR}/temp/configlemon.json
+
+# Import lemon ldap configuration
+cat ${DEPLOYMENT_DIR}/temp/configlemon.json | ${DOCKER_CMD} exec -t ${DEPLOYMENT_LEMONLDAP_CONTAINER_NAME} /usr/share/lemonldap-ng/bin/lemonldap-ng-cli restore -
+
+# restart lemon to be sure the configuration is uptodate
+${DOCKER_CMD} restart --no-deps ${DEPLOYMENT_LEMONLDAP_CONTAINER_NAME}
+
+  echo_info "${DEPLOYMENT_LEMONLDAP_CONTAINER_NAME} container started"  
+
+  check_lemonldap_availability
+}
+
+check_lemonldap_availability() {
+  echo_info "Waiting for Lemonldap availability on port ${DEPLOYMENT_LEMONLDAP_PORT}"
+  local count=0
+  local try=600
+  local wait_time=1
+  local RET=-1
+
+  #while [ $count -lt $try -a $RET -ne 0 ]; do
+  #  count=$(( $count + 1 ))
+ #   set +e
+#
+  #  curl -s -q --max-time ${wait_time} ldap://localhost:${DEPLOYMENT_LDAP_PORT}  > /dev/null
+  #  RET=$?
+  #  if [ $RET -ne 0 ]; then
+  #    [ $(( ${count} % 10 )) -eq 0 ] && echo_info "Lemonldap not yet available (${count} / ${try})..."    
+  #    echo -n "."
+  #    sleep $wait_time
+  #  fi
+  #  set -e
+  #done
+  #if [ $count -eq $try ]; then
+  #  echo_error "Ldap ${DEPLOYMENT_LEMONLDAP_CONTAINER_NAME} not available after $(( ${count} * ${wait_time}))s"
+  #  exit 1
+  #fi
+  echo_info "LemonLdap ${DEPLOYMENT_LEMONLDAP_CONTAINER_NAME} up and available"
+}
+
+# #############################################################################
+# Env var to not load it several times
+_FUNCTIONS_LEMONLDAP_LOADED=true
+echo_debug "_function_lemonldap.sh Loaded"

_functions_tomcat.sh

@@ -161,6 +161,17 @@ do_configure_tomcat_ldap() {
   fi
 }
 
+do_configure_tomcat_lemonldap() {  
+  if [ "${DEPLOYMENT_LEMONLDAP_ENABLED}" == "true" ]; then
+    echo_info "Start Deploying Directory lemonldap conf ..."      
+    mkdir -p ${DEPLOYMENT_DIR}/gatein/conf/
+    cp ${ETC_DIR}/gatein/picketlink-sp.xml ${DEPLOYMENT_DIR}/gatein/conf/picketlink-sp.xml
+    #TODO: generate valide key and add it to lemonldap json
+    cp ${ETC_DIR}/gatein/jbid_test_keystore.jks ${DEPLOYMENT_DIR}/gatein/conf/jbid_test_keystore.jks
+    echo_info "End Deploying Directory lemonldap conf ..."    
+  fi
+}
+
 do_configure_tomcat_datasources() {
 
   case ${DEPLOYMENT_DATABASE_TYPE} in
@@ -351,6 +362,7 @@ do_configure_tomcat_server() {
   do_configure_tomcat_email
   do_configure_tomcat_jod
   do_configure_tomcat_ldap
+  do_configure_tomcat_lemonldap
 
   # Install the addons manager
   # Addon manager is needed to install jdbc driver

etc/adt/config.template

@@ -59,6 +59,8 @@ DEPLOYMENT_ES_IMAGE_VERSION=${DEPLOYMENT_ES_IMAGE_VERSION}
 DEPLOYMENT_ES_HEAP=${DEPLOYMENT_ES_HEAP}
 DEPLOYMENT_ONLYOFFICE_HTTP_PORT=${DEPLOYMENT_ONLYOFFICE_HTTP_PORT}
 DEPLOYMENT_ONLYOFFICE_DOCUMENTSERVER_ENABLED=${DEPLOYMENT_ONLYOFFICE_DOCUMENTSERVER_ENABLED}
+DEPLOYMENT_SAML_ENABLED=${DEPLOYMENT_SAML_ENABLED}
+DEPLOYMENT_LEMONLDAP_ENABLED=${DEPLOYMENT_LEMONLDAP_ENABLED}
 DEPLOYMENT_LDAP_ENABLED=${DEPLOYMENT_LDAP_ENABLED}
 DEPLOYMENT_LDAP_PORT=${DEPLOYMENT_LDAP_PORT}
 DEPLOYMENT_AD_HOST=${DEPLOYMENT_AD_HOST}

etc/gatein/picketlink-sp.xml

@@ -0,0 +1,30 @@
+<PicketLink xmlns="urn:picketlink:identity-federation:config:2.1">
+  <PicketLinkSP xmlns="urn:picketlink:identity-federation:config:2.1"
+                ServerEnvironment="tomcat" BindingType="POST" SupportsSignatures="true" LogOutPage="/" EnableAudit="true">
+    <IdentityURL>${gatein.sso.idp.url}</IdentityURL>
+    <ServiceURL>${gatein.sso.sp.url}</ServiceURL>
+
+    <!-- WARNING: This bundled keystore is only for testing purposes. You should generate and configure your own keystore!-->
+    <KeyProvider ClassName="org.picketlink.identity.federation.core.impl.KeyStoreKeyManager">
+      <Auth Key="KeyStoreURL" Value="${gatein.sso.picketlink.keystore}"/>
+      <Auth Key="KeyStorePass" Value="${gatein.sso.idp.keystorepass}"/>
+      <Auth Key="SigningKeyPass" Value="${gatein.sso.idp.signingkeypass}"/>
+      <Auth Key="SigningKeyAlias" Value="${gatein.sso.idp.alias}"/>
+      <Auth Key="salt" Value="18273645"/>
+      <Auth Key="iterationCount" Value="11"/>
+      <ValidatingAlias Key="${gatein.sso.idp.host}" Value="${gatein.sso.idp.alias}"/>
+    </KeyProvider>
+
+  </PicketLinkSP>
+
+  <Handlers xmlns="urn:picketlink:identity-federation:handler:config:2.1">
+    <Handler
+        class="org.gatein.sso.agent.saml.PortalSAML2LogOutHandler"/>
+    <Handler
+        class="org.picketlink.identity.federation.web.handlers.saml2.SAML2AuthenticationHandler">
+        <Option Key="NAMEID_FORMAT" Value="urn:oasis:names:tc:SAML:1.1:nameid-format:persistent"/>
+    </Handler>
+    <Handler
+        class="org.picketlink.identity.federation.web.handlers.saml2.RolesGenerationHandler"/>
+  </Handlers>
+</PicketLink>