docker - provides a composition to easily test oidc/rabbitmq integration

datadir/cas/config/cas.properties

@@ -0,0 +1,51 @@
+cas.server.name=http://localhost:8080
+cas.server.prefix=${cas.server.name}/cas
+
+logging.config=file:/etc/georchestra/cas/config/log4j2.xml
+cas.theme.param-name=georchestra
+cas.theme.default-theme-name=georchestra
+
+cas.service-registry.core.init-from-json=false
+cas.service-registry.json.location=file:/etc/georchestra/cas/services
+#uncomment if getting 302 redirects on cas.{css,js} behind nginx/apache
+server.forward-headers-strategy=FRAMEWORK
+
+cas.authn.accept.enabled=false
+
+cas.authn.ldap[0].ldap-url=ldap://ldap2:389/
+cas.authn.ldap[0].bind-dn=
+cas.authn.ldap[0].bind-credential=
+
+cas.authn.ldap[0].base-dn=dc=georchestra,dc=org
+cas.authn.ldap[0].subtree-search=true
+cas.authn.ldap[0].search-filter=uid={user}
+cas.authn.ldap[0].page-size=0
+
+cas.authn.ldap[0].pool-passivator=NONE
+cas.authn.ldap[0].connection-strategy=
+cas.authn.ldap[0].connect-timeout=PT5S
+cas.authn.ldap[0].disable-pooling=false
+cas.authn.ldap[0].min-pool-size=3
+cas.authn.ldap[0].max-pool-size=10
+cas.authn.ldap[0].validate-on-checkout=true
+cas.authn.ldap[0].validate-periodically=true
+cas.authn.ldap[0].validate-period=PT5M
+cas.authn.ldap[0].validate-timeout=PT5S
+cas.authn.ldap[0].fail-fast=true
+cas.authn.ldap[0].idle-time=PT10M
+cas.authn.ldap[0].prune-period=PT2H
+cas.authn.ldap[0].block-wait-time=PT3S
+
+cas.authn.ldap[0].use-start-tls=false
+cas.authn.ldap[0].response-timeout=PT5S
+cas.authn.ldap[0].allow-multiple-dns=false
+cas.authn.ldap[0].allow-multiple-entries=false
+cas.authn.ldap[0].follow-referrals=false
+cas.authn.ldap[0].binary-attributes=jpegPhoto
+cas.authn.ldap[0].name=
+
+cas.authn.ldap[0].type=DIRECT
+cas.authn.ldap[0].dn-format=uid=%s,ou=users,dc=georchestra,dc=org
+
+cas.authn.oidc.jwks.file-system.jwks-file=file:///tmp/keystore.jwksdown
+cas.authn.saml-idp.metadata.file-system.location=file:///tmp/

datadir/cas/config/log4j2.xml

@@ -0,0 +1,90 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!-- Specify the refresh internal in seconds. -->
+<Configuration monitorInterval="5" packages="org.apereo.cas.logging">
+    <Properties>
+        <Property name="baseDir">/var/log</Property>
+        <Property name="cas.log.level">info</Property>
+        <Property name="spring.webflow.log.level">warn</Property>
+        <Property name="spring.security.log.level">info</Property>
+        <Property name="spring.cloud.log.level">warn</Property>
+        <Property name="spring.boot.admin.log.level">debug</Property>
+        <Property name="spring.web.log.level">warn</Property>
+        <Property name="spring.boot.log.level">warn</Property>
+        <Property name="ldap.log.level">warn</Property>
+        <Property name="pac4j.log.level">warn</Property>
+        <Property name="opensaml.log.level">warn</Property>
+        <Property name="hazelcast.log.level">warn</Property>
+    </Properties>
+    <Appenders>
+        <Console name="console" target="SYSTEM_OUT">
+            <PatternLayout pattern="%highlight{%d %p [%c] - &lt;%m&gt;}%n"/>
+        </Console>
+
+        <CasAppender name="casConsole">
+            <AppenderRef ref="console" />
+        </CasAppender>
+    </Appenders>
+    <Loggers>
+        <!-- If adding a Logger with level set higher than warn, make category as selective as possible -->
+        <!-- Loggers inherit appenders from Root Logger unless additivity is false -->
+        <AsyncLogger name="org.apereo" level="${sys:cas.log.level}" includeLocation="true"/>
+        <AsyncLogger name="org.apereo.services.persondir" level="${sys:cas.log.level}" includeLocation="true"/>
+        <AsyncLogger name="org.apereo.cas.services" level="warn" includeLocation="true"/>
+        <AsyncLogger name="org.apereo.cas.web.flow" level="${sys:cas.log.level}" includeLocation="true"/>
+        <AsyncLogger name="org.apereo.spring" level="${sys:cas.log.level}" includeLocation="true"/>
+
+        <AsyncLogger name="org.apache" level="warn" />
+        <AsyncLogger name="org.apache.http" level="error" />
+
+        <AsyncLogger name="org.springframework.boot" level="${sys:spring.boot.log.level" includeLocation="true"/>
+        <AsyncLogger name="org.springframework.boot.context.embedded" level="info" includeLocation="true" />
+        <AsyncLogger name="org.springframework.boot.autoconfigure.security.servlet.UserDetailsServiceAutoConfiguration"
+        level="${sys:spring.security.log.level}" includeLocation="true" />
+        <AsyncLogger name="org.springframework.boot.autoconfigure.security" level="${sys:spring.security.log.level}" includeLocation="true"/>
+        <AsyncLogger name="org.springframework.boot.devtools" level="off" includeLocation="true"/>
+
+        <AsyncLogger name="org.springframework" level="warn" includeLocation="true" />
+        <AsyncLogger name="org.springframework.webflow" level="${sys:spring.webflow.log.level}" includeLocation="true"/>
+        <AsyncLogger name="org.springframework.aop" level="warn" includeLocation="true" />
+        <AsyncLogger name="org.springframework.web" level="warn" includeLocation="true"/>
+        <AsyncLogger name="org.springframework.session" level="warn" includeLocation="true"/>
+        <AsyncLogger name="org.springframework.scheduling" level="info" includeLocation="true"/>
+        <AsyncLogger name="org.springframework.cloud.vault" level="warn" includeLocation="true" />
+        <AsyncLogger name="org.springframework.web.client" level="warn" includeLocation="true" />
+        <AsyncLogger name="org.springframework.security" level="${sys:spring.security.log.level}" includeLocation="true"/>
+        <AsyncLogger name="org.springframework.cloud" level="${sys:spring.cloud.log.level}" includeLocation="true"/>
+        <AsyncLogger name="org.springframework.amqp" level="error" />
+        <AsyncLogger name="org.springframework.integration" level="warn" includeLocation="true"/>
+        <AsyncLogger name="org.springframework.messaging" level="warn" includeLocation="true"/>
+        <AsyncLogger name="org.springframework.web" level="${sys:spring.web.log.level}" includeLocation="true"/>
+        <AsyncLogger name="org.springframework.orm.jpa" level="warn" includeLocation="true"/>
+        <AsyncLogger name="org.springframework.scheduling" level="warn" includeLocation="true"/>
+        <AsyncLogger name="org.springframework.context.annotation" level="off" includeLocation="true"/>
+        <AsyncLogger name="org.springframework.web.socket" level="warn" includeLocation="true"/>
+
+        <AsyncLogger name="org.thymeleaf" level="warn" includeLocation="true"/>
+
+        <AsyncLogger name="org.pac4j" level="${sys:pac4j.log.level}" includeLocation="true"/>
+
+        <AsyncLogger name="org.opensaml" level="${sys:opensaml.log.level}" includeLocation="true"/>
+        <AsyncLogger name="PROTOCOL_MESSAGE" level="${sys:opensaml.log.level}" includeLocation="true" />
+
+        <AsyncLogger name="net.sf.ehcache" level="warn" includeLocation="true"/>
+        <AsyncLogger name="com.couchbase" level="warn" includeLocation="true"/>
+        <AsyncLogger name="de.codecentric" level="${sys:spring.boot.admin.log.level}" includeLocation="true"/>
+        <AsyncLogger name="net.jradius" level="warn" includeLocation="true" />
+        <AsyncLogger name="org.openid4java" level="warn" includeLocation="true" />
+        <AsyncLogger name="org.ldaptive" level="${sys:ldap.log.level}" includeLocation="true"/>
+        <AsyncLogger name="com.hazelcast" level="${sys:hazelcast.log.level}" includeLocation="true"/>
+
+
+        <!-- All Loggers inherit appenders specified here, unless additivity="false" on the Logger -->
+        <AsyncRoot level="warn">
+            <!--
+                 For deployment to an application server running as service,
+                 delete the casConsole appender below
+            -->
+            <AppenderRef ref="casConsole"/>
+        </AsyncRoot>
+    </Loggers>
+</Configuration>

datadir/cas/saml/.gitkeep

@@ -0,0 +1 @@
+This directory is references in the Dockerfile so it needs to be here. 

datadir/cas/services/georchestra-1001.json

@@ -0,0 +1,7 @@
+{
+    "@class" : "org.apereo.cas.services.RegexRegisteredService",
+    "serviceId" : "^(https|http)://.*",
+    "name" : "georchestra",
+    "id" : 1001,
+    "evaluationOrder" : 10
+}

datadir/cas/services/oauth2-2001.json

@@ -0,0 +1,8 @@
+{
+  "@class" : "org.apereo.cas.support.oauth.services.OAuthRegisteredService",
+  "clientId": "oauth2",
+  "clientSecret": "oauth2",
+  "serviceId" : "^(https|http)://.*",
+  "name" : "oauth2",
+  "id" : 2001
+}

datadir/cas/services/oidc-3001.json

@@ -0,0 +1,8 @@
+{
+  "@class" : "org.apereo.cas.services.OidcRegisteredService",
+  "clientId": "oidc",
+  "clientSecret": "oidc",
+  "serviceId" : "^(https|http)://.*",
+  "name" : "OIDC",
+  "id" : 3001
+}

datadir/default.properties

@@ -6,7 +6,7 @@
 # Scheme of the geOrchestra instance
 # URL must not include the trailing slash
 # Should be https
-#scheme=https
+scheme=http
 
 # Domain name of the geOrchestra instance
 # URL must not include the trailing slash
@@ -66,6 +66,23 @@ pgsqlUser=georchestra
 # Default common password of PostgreSQL user for all geOrchestra modules
 pgsqlPassword=georchestra
 
+### rabbitmq properties
+
+# Activate/desactivate Rabbitmq
+enableRabbitmqEvents=false
+
+# rabbitmq server domain name
+rabbitmqHost=rabbitmq
+
+# rabbitmq user
+rabbitmqUser=georchestra
+
+# rabbitmq password
+rabbitmqPassword=georchestra
+
+# rabbitmq port
+rabbitmqPort=5672
+
 ### LDAP properties
 
 # LDAP server domain name

datadir/gateway/gateway.yaml

@@ -41,9 +41,9 @@ georchestra:
         access-rules:
         - intercept-url: /analytics/**
           allowed-roles: ROLE_SUPERUSER, ROLE_ORGADMIN
-      atlas: 
+      atlas:
         target: http://atlas:8080/atlas/
-      console: 
+      console:
         target: http://console:8080/console/
         access-rules:
         - intercept-url:
@@ -72,7 +72,7 @@ georchestra:
           allowed-roles: SUPERUSER
         - intercept-url: /console/account/**
           anonymous: false
-      extractorapp: 
+      extractorapp:
         target: http://extractorapp:8080/extractorapp/
         access-rules:
         - intercept-url: /extractorapp/admin*
@@ -81,7 +81,7 @@ georchestra:
           allowed-roles: ADMINISTRATOR
         - intercept-url: /extractorapp/**
           allowed-roles: EXTRACTORAPP
-      geonetwork: 
+      geonetwork:
         target: http://geonetwork:8080/geonetwork/
         access-rules:
         - intercept-url: /geonetwork/**
@@ -93,7 +93,7 @@ georchestra:
           org: false
           orgname: true
           json-user: true
-      geoserver: 
+      geoserver:
         target: http://geoserver:8080/geoserver/
         access-rules:
         - intercept-url: /geoserver/**
@@ -103,23 +103,23 @@ georchestra:
         access-rules:
         - intercept-url: /geofence/**
           allowed-roles: ADMINISTRATOR
-      header: 
+      header:
         target: http://header:8080/header/
         access-rules:
         - intercept-url: /header/**
           anonymous: true
-      mapfishapp: 
+      mapfishapp:
         target: http://mapfishapp:8080/mapfishapp/
         access-rules:
         - intercept-url: /mapfishapp/ogcproxy/**
           forbidden: true
         - intercept-url: /mapfishapp/**
           anonymous: true
-      geowebcache: 
+      geowebcache:
         target: http://geowebcache:8080/geowebcache/
-      mapstore: 
+      mapstore:
         target: http://mapstore:8080/mapstore/
-      datafeeder: 
+      datafeeder:
         target: http://datafeeder:8080/datafeeder
         headers:
           proxy: true
@@ -132,7 +132,7 @@ georchestra:
         access-rules:
         - intercept-url: /datafeeder/**
           anonymous: false
-      import: 
+      import:
         target: http://import:80/
         access-rules:
         - intercept-url: /import/**
@@ -182,3 +182,53 @@ georchestra.gateway.services:
   import.target: http://localhost:10012/
   atlas.target: http://localhost:8080/atlas/
   geowebcache.target: http://localhost:8080/geowebcache/
+
+---
+spring.config.activate.on-profile: casoauth2rabbitmq
+debug: true
+logging:
+  level:
+    root: warn
+    '[org.springframework]': debug
+    '[org.springframework.cloud.gateway]': info
+    '[org.springframework.security]': debug
+    '[org.springframework.security.oauth2]': debug
+    '[org.springframework.http.codec.json]': debug
+    '[org.springframework.security.oauth2.client.oidc]': debug
+    '[org.georchestra.gateway]': info
+    '[org.georchestra.gateway.accesslog]': info
+    '[org.georchestra.gateway.security]': debug
+    '[org.springframework.security.ldap]': info
+server:
+  forward-headers-strategy: FRAMEWORK
+logging.level.org.springframework: INFO
+logging.level.org.springframework.security.oauth2.client: DEBUG
+georchestra:
+  gateway:
+    security:
+      events:
+        rabbitmq:
+          # Note usually enableRabbitmqEvents, rabbitmqHost, etc. come from georchestra's default.properties
+          enabled: true
+          host: rabbitmq
+          port: 5672
+          user: georchestra
+          password: georchestra
+      oauth2:
+        enabled: true
+spring:
+  security:
+    oauth2:
+      client:
+        registration:
+          cas-oauth2:
+            client-id: oauth2
+            client-secret: oauth2
+            authorization-grant-type: authorization_code
+            redirect-uri: "http://localhost:8080/login/oauth2/code/cas-oauth2"
+        provider:
+          cas-oauth2:
+            authorization-uri: http://localhost:8080/cas/oauth2.0/authorize
+            token-uri: http://cas:8080/cas/oauth2.0/accessToken
+            user-info-uri: http://cas:8080/cas/oauth2.0/profile
+            userNameAttribute: id

datadir/gateway/routes.yaml

@@ -59,3 +59,7 @@ spring:
         uri: ${georchestra.gateway.services.import.target}
         predicates:
         - Path=/import/**
+      - id: cas
+        uri: http://cas:8080/cas/
+        predicates:
+          - Path=/cas/**