gateway - adding a composition to easily test CAS as an oauth2 provider

This was the intent behind the following PR:
georchestra/georchestra-gateway#83

gateway/oauth2/README.md

@@ -0,0 +1,25 @@
+# About
+
+This composition provides a way to test geOrchestra CAS as an oauth2 identity provider.
+
+It relies on the following components:
+
+* a geOrchestra gateway
+* a LDAP on which the gateway is configured against as in a regular geOrchestra setup
+* a secondary geOrchestra LDAP which contains only a `testoauth2:testoauth2` account
+* a geOrchestra header
+* a geOrchestra CAS configured as an oauth2 provider
+* a nginx listening on port `8080` which gives access to the gateway and CAS
+
+Once launched, you can access the following url:
+
+http://localhost:8080/
+
+When clicking on login, you will either be able to log in to geOrchestra using
+the usual test accounts directly on the Gateway login page, or click onto
+"cas-oauth2" link which will get you to CAS, where you could use the
+`testoauth2` login, along with the `testoauth2` password.
+
+# Caveats
+
+CAS can take some time to get into life.

gateway/oauth2/datadir/cas/config/cas.properties

@@ -0,0 +1,51 @@
+cas.server.name=http://localhost:8080
+cas.server.prefix=${cas.server.name}/cas
+
+logging.config=file:/etc/georchestra/cas/config/log4j2.xml
+cas.theme.param-name=georchestra
+cas.theme.default-theme-name=georchestra
+
+cas.service-registry.core.init-from-json=false
+cas.service-registry.json.location=file:/etc/georchestra/cas/services
+#uncomment if getting 302 redirects on cas.{css,js} behind nginx/apache
+server.forward-headers-strategy=FRAMEWORK
+
+cas.authn.accept.enabled=false
+
+cas.authn.ldap[0].ldap-url=ldap://ldap2:389/
+cas.authn.ldap[0].bind-dn=
+cas.authn.ldap[0].bind-credential=
+
+cas.authn.ldap[0].base-dn=dc=georchestra,dc=org
+cas.authn.ldap[0].subtree-search=true
+cas.authn.ldap[0].search-filter=uid={user}
+cas.authn.ldap[0].page-size=0
+
+cas.authn.ldap[0].pool-passivator=NONE
+cas.authn.ldap[0].connection-strategy=
+cas.authn.ldap[0].connect-timeout=PT5S
+cas.authn.ldap[0].disable-pooling=false
+cas.authn.ldap[0].min-pool-size=3
+cas.authn.ldap[0].max-pool-size=10
+cas.authn.ldap[0].validate-on-checkout=true
+cas.authn.ldap[0].validate-periodically=true
+cas.authn.ldap[0].validate-period=PT5M
+cas.authn.ldap[0].validate-timeout=PT5S
+cas.authn.ldap[0].fail-fast=true
+cas.authn.ldap[0].idle-time=PT10M
+cas.authn.ldap[0].prune-period=PT2H
+cas.authn.ldap[0].block-wait-time=PT3S
+
+cas.authn.ldap[0].use-start-tls=false
+cas.authn.ldap[0].response-timeout=PT5S
+cas.authn.ldap[0].allow-multiple-dns=false
+cas.authn.ldap[0].allow-multiple-entries=false
+cas.authn.ldap[0].follow-referrals=false
+cas.authn.ldap[0].binary-attributes=jpegPhoto
+cas.authn.ldap[0].name=
+
+cas.authn.ldap[0].type=DIRECT
+cas.authn.ldap[0].dn-format=uid=%s,ou=users,dc=georchestra,dc=org
+
+cas.authn.oidc.jwks.file-system.jwks-file=file:///tmp/keystore.jwksdown
+cas.authn.saml-idp.metadata.file-system.location=file:///tmp/

gateway/oauth2/datadir/cas/config/log4j2.xml

@@ -0,0 +1,90 @@
+<?xml version="1.0" encoding="UTF-8" ?>
+<!-- Specify the refresh internal in seconds. -->
+<Configuration monitorInterval="5" packages="org.apereo.cas.logging">
+    <Properties>
+        <Property name="baseDir">/var/log</Property>
+        <Property name="cas.log.level">info</Property>
+        <Property name="spring.webflow.log.level">warn</Property>
+        <Property name="spring.security.log.level">info</Property>
+        <Property name="spring.cloud.log.level">warn</Property>
+        <Property name="spring.boot.admin.log.level">debug</Property>
+        <Property name="spring.web.log.level">warn</Property>
+        <Property name="spring.boot.log.level">warn</Property>
+        <Property name="ldap.log.level">warn</Property>
+        <Property name="pac4j.log.level">warn</Property>
+        <Property name="opensaml.log.level">warn</Property>
+        <Property name="hazelcast.log.level">warn</Property>
+    </Properties>
+    <Appenders>
+        <Console name="console" target="SYSTEM_OUT">
+            <PatternLayout pattern="%highlight{%d %p [%c] - &lt;%m&gt;}%n"/>
+        </Console>
+
+        <CasAppender name="casConsole">
+            <AppenderRef ref="console" />
+        </CasAppender>
+    </Appenders>
+    <Loggers>
+        <!-- If adding a Logger with level set higher than warn, make category as selective as possible -->
+        <!-- Loggers inherit appenders from Root Logger unless additivity is false -->
+        <AsyncLogger name="org.apereo" level="${sys:cas.log.level}" includeLocation="true"/>
+        <AsyncLogger name="org.apereo.services.persondir" level="${sys:cas.log.level}" includeLocation="true"/>
+        <AsyncLogger name="org.apereo.cas.services" level="warn" includeLocation="true"/>
+        <AsyncLogger name="org.apereo.cas.web.flow" level="${sys:cas.log.level}" includeLocation="true"/>
+        <AsyncLogger name="org.apereo.spring" level="${sys:cas.log.level}" includeLocation="true"/>
+
+        <AsyncLogger name="org.apache" level="warn" />
+        <AsyncLogger name="org.apache.http" level="error" />
+
+        <AsyncLogger name="org.springframework.boot" level="${sys:spring.boot.log.level" includeLocation="true"/>
+        <AsyncLogger name="org.springframework.boot.context.embedded" level="info" includeLocation="true" />
+        <AsyncLogger name="org.springframework.boot.autoconfigure.security.servlet.UserDetailsServiceAutoConfiguration"
+        level="${sys:spring.security.log.level}" includeLocation="true" />
+        <AsyncLogger name="org.springframework.boot.autoconfigure.security" level="${sys:spring.security.log.level}" includeLocation="true"/>
+        <AsyncLogger name="org.springframework.boot.devtools" level="off" includeLocation="true"/>
+
+        <AsyncLogger name="org.springframework" level="warn" includeLocation="true" />
+        <AsyncLogger name="org.springframework.webflow" level="${sys:spring.webflow.log.level}" includeLocation="true"/>
+        <AsyncLogger name="org.springframework.aop" level="warn" includeLocation="true" />
+        <AsyncLogger name="org.springframework.web" level="warn" includeLocation="true"/>
+        <AsyncLogger name="org.springframework.session" level="warn" includeLocation="true"/>
+        <AsyncLogger name="org.springframework.scheduling" level="info" includeLocation="true"/>
+        <AsyncLogger name="org.springframework.cloud.vault" level="warn" includeLocation="true" />
+        <AsyncLogger name="org.springframework.web.client" level="warn" includeLocation="true" />
+        <AsyncLogger name="org.springframework.security" level="${sys:spring.security.log.level}" includeLocation="true"/>
+        <AsyncLogger name="org.springframework.cloud" level="${sys:spring.cloud.log.level}" includeLocation="true"/>
+        <AsyncLogger name="org.springframework.amqp" level="error" />
+        <AsyncLogger name="org.springframework.integration" level="warn" includeLocation="true"/>
+        <AsyncLogger name="org.springframework.messaging" level="warn" includeLocation="true"/>
+        <AsyncLogger name="org.springframework.web" level="${sys:spring.web.log.level}" includeLocation="true"/>
+        <AsyncLogger name="org.springframework.orm.jpa" level="warn" includeLocation="true"/>
+        <AsyncLogger name="org.springframework.scheduling" level="warn" includeLocation="true"/>
+        <AsyncLogger name="org.springframework.context.annotation" level="off" includeLocation="true"/>
+        <AsyncLogger name="org.springframework.web.socket" level="warn" includeLocation="true"/>
+
+        <AsyncLogger name="org.thymeleaf" level="warn" includeLocation="true"/>
+
+        <AsyncLogger name="org.pac4j" level="${sys:pac4j.log.level}" includeLocation="true"/>
+
+        <AsyncLogger name="org.opensaml" level="${sys:opensaml.log.level}" includeLocation="true"/>
+        <AsyncLogger name="PROTOCOL_MESSAGE" level="${sys:opensaml.log.level}" includeLocation="true" />
+
+        <AsyncLogger name="net.sf.ehcache" level="warn" includeLocation="true"/>
+        <AsyncLogger name="com.couchbase" level="warn" includeLocation="true"/>
+        <AsyncLogger name="de.codecentric" level="${sys:spring.boot.admin.log.level}" includeLocation="true"/>
+        <AsyncLogger name="net.jradius" level="warn" includeLocation="true" />
+        <AsyncLogger name="org.openid4java" level="warn" includeLocation="true" />
+        <AsyncLogger name="org.ldaptive" level="${sys:ldap.log.level}" includeLocation="true"/>
+        <AsyncLogger name="com.hazelcast" level="${sys:hazelcast.log.level}" includeLocation="true"/>
+
+
+        <!-- All Loggers inherit appenders specified here, unless additivity="false" on the Logger -->
+        <AsyncRoot level="warn">
+            <!--
+                 For deployment to an application server running as service,
+                 delete the casConsole appender below
+            -->
+            <AppenderRef ref="casConsole"/>
+        </AsyncRoot>
+    </Loggers>
+</Configuration>

gateway/oauth2/datadir/cas/saml/.gitkeep

@@ -0,0 +1 @@
+This directory is references in the Dockerfile so it needs to be here. 

gateway/oauth2/datadir/cas/services/georchestra-1001.json

@@ -0,0 +1,7 @@
+{
+    "@class" : "org.apereo.cas.services.RegexRegisteredService",
+    "serviceId" : "^(https|http)://.*",
+    "name" : "georchestra",
+    "id" : 1001,
+    "evaluationOrder" : 10
+}

gateway/oauth2/datadir/cas/services/oauth2-2001.json

@@ -0,0 +1,8 @@
+{
+  "@class" : "org.apereo.cas.support.oauth.services.OAuthRegisteredService",
+  "clientId": "oauth2",
+  "clientSecret": "oauth2",
+  "serviceId" : "^(https|http)://.*",
+  "name" : "oauth2",
+  "id" : 2001
+}

gateway/oauth2/datadir/cas/services/oidc-3001.json

@@ -0,0 +1,12 @@
+{
+  "@class" : "org.apereo.cas.services.OidcRegisteredService",
+  "clientId": "oidc",
+  "clientSecret": "oidc",
+  "serviceId" : "^(https|http)://.*",
+  "name" : "oidc",
+  "bypassApprovalPrompt": true,
+  "id" : 3001,
+  "scopes" : [ "java.util.HashSet",
+    [ "openid", "profile", "email", "address", "phone", "offline_access", "displayName", "eduPerson" ]
+  ]
+}

gateway/oauth2/datadir/default.properties

@@ -0,0 +1,136 @@
+# This file holds some property shared across all geOrchestra webapps
+# All properties in this file MUST be present. Do not comment any of them, they
+# do not have a default value. Adapt them according to the needs of your
+# instance.
+
+# Scheme of the geOrchestra instance
+# URL must not include the trailing slash
+# Should be https
+scheme=http
+
+# Domain name of the geOrchestra instance
+# URL must not include the trailing slash
+# Once modified, adapt the following files accordingly:
+# - mapfishapp/wfs.servers.json
+# - mapfishapp/wms.servers.json
+# - mapfishapp/wmts.servers.json
+# - mapfishapp/credentials.properties
+# - mapfishapp/print/config.yaml
+# - mapfishapp/js/GEOR_custom.js
+# - cas/cas.properties
+# - ...
+# or replace all the strings with `sed` (see README.md)
+domainName=georchestra-127-0-1-1.traefik.me
+
+# Name of this geOrchestra instance
+instanceName=geOrchestra
+
+# Default language
+language=en
+
+# Header height (size in px)
+# If different from default value "90", adapt analytics/js/GEOR_custom.js
+# accordingly
+headerHeight=90
+
+# Header URL (can be absolute or relative)
+# If different from default value "/header/", adapt
+# security-proxy/targets-mapping.properties accordingly
+headerUrl=/header/
+
+# Administrator email
+# Default email address used to send and receive mails in atlas, console and
+# extractorapp. See the corresponding properties files to override this email
+# address for specific needs.
+administratorEmail=[email protected]
+
+### PostgreSQL properties
+
+# PostgreSQL server domain name
+# Domain name, or IP address, of the PostgreSQL server
+pgsqlHost=database
+
+# PostgreSQL server port
+# Listening port of the PostgreSQL server
+pgsqlPort=5432
+
+# PostgreSQL database name
+# Default common PostgreSQL database for all geOrchestra modules
+pgsqlDatabase=georchestra
+
+# User to connect to PostgreSQL server
+# Default common PostgreSQL user for all geOrchestra modules
+pgsqlUser=georchestra
+
+# Password to connect to PostgreSQL server
+# Default common password of PostgreSQL user for all geOrchestra modules
+pgsqlPassword=georchestra
+
+### rabbitmq properties
+
+# Activate/desactivate Rabbitmq
+enableRabbitmqEvents=false
+
+# rabbitmq server domain name
+rabbitmqHost=rabbitmq
+
+# rabbitmq user
+rabbitmqUser=georchestra
+
+# rabbitmq password
+rabbitmqPassword=georchestra
+
+# rabbitmq port
+rabbitmqPort=5672
+
+### LDAP properties
+
+# LDAP server domain name
+# Domain name, or IP address, of the LDAP server
+ldapHost=ldap
+
+# LDAP server port
+# Listening port of the LDAP server
+ldapPort=389
+
+# LDAP Scheme
+# ldap or ldaps
+ldapScheme=ldap
+
+# Base DN of the LDAP directory
+# Base Distinguished Name of the LDAP directory. Also named root or suffix, see
+# http://www.zytrax.com/books/ldap/apd/index.html#base
+ldapBaseDn=dc=georchestra,dc=org
+
+# Administrator DN
+# Distinguished name of the administrator user that connects to the LDAP server
+ldapAdminDn=cn=admin,dc=georchestra,dc=org
+
+# Administrator password
+# Password of the administrator user that connects to the LDAP server
+ldapAdminPassword=secret
+
+# Users RDN
+# Relative distinguished name of the "users" LDAP organization unit. E.g. if the
+# complete name (or DN) is ou=users,dc=georchestra,dc=org, the RDN is ou=users.
+ldapUsersRdn=ou=users
+
+# Roles RDN
+# Relative distinguished name of the "roles" LDAP organization unit. E.g. if the
+# complete name (or DN) is ou=roles,dc=georchestra,dc=org, the RDN is ou=roles.
+ldapRolesRdn=ou=roles
+
+# Organizations RDN
+# Relative distinguished name of the "orgs" LDAP organization unit. E.g. if the
+# complete name (or DN) is ou=orgs,dc=georchestra,dc=org, the RDN is ou=orgs.
+ldapOrgsRdn=ou=orgs
+
+### SMTP properties
+
+# SMTP server domain name
+# Domain name, or IP address, of the SMTP server
+smtpHost=smtp
+
+# SMTP server domain name
+# Listening port of the SMTP server
+smtpPort=25