[faas#35] faas-registry - automate creating user controler

added.

Dockerfile

@@ -9,9 +9,10 @@ RUN echo $FAAS_REGISTRY_NAME > /faas-docker-name
 RUN echo $FAAS_REGISTRY_VERSION > /faas-docker-version
 
 RUN apt-get -q update  && \
-    apt-get install -y  memcached apache2 python3-pip composer git mc wget gearman-tools gearman && \
+    apt-get install -y apache2 python3-pip composer  gearman-tools gearman && \
+    apt-get install -y composer gearman  gearman-tools python3-pip  && \
     apt-get install -y php php-common php7.4-opcache php-gd php-curl php-intl php-mbstring php-xmlrpc php-mysql php-soap php-bcmath php-zip php-memcached php-apcu php-cli php-xml php-gearman libapache2-mod-php && \
-    apt-get install -y mariadb-client && \
+    apt-get install -y mariadb-client git mc memcached wget && \
     apt-get -y autoremove && \
     apt-get -y clean
 
@@ -54,4 +55,6 @@ COPY ./conf/etc/apache2/sites-available/000-default.conf /etc/apache2/sites-avai
 COPY ./conf/etc/supervisord.conf /etc/supervisord.conf
 COPY ./conf/etc/entrypoint /etc/entrypoint
 
+COPY ./conf/etc/registry/application/controllers/CLISetup.php /opt/rr3/application/controllers/CLISetup.php
+
 ENTRYPOINT ["/etc/entrypoint"]
\ No newline at end of file

conf/credentials/faas-registry-default.cnf

 MYSQL_ROOT_PASSWORD=changeme
 FAAS_REGISTRY_DB_PASSWORD=changeme
 FAAS_REGISTRY_RR_SYNCPASS=changeme
-FAAS_REGISTRY_RR_MAIL_PASS=
\ No newline at end of file
+FAAS_REGISTRY_RR_MAIL_PASS=
+FAAS_REGISTRY_RR_FIRSTUSER_PASSWORD=changeme

conf/etc/registry/application/config/config.php

@@ -126,7 +126,7 @@ $config['subclass_prefix'] = 'MY_';
 | DO NOT CHANGE THIS UNLESS YOU FULLY UNDERSTAND THE REPERCUSSIONS!!
 |
 */
-$config['permitted_uri_chars'] = 'a-z 0-9~%.:_\-';
+$config['permitted_uri_chars'] = 'a-z 0-9~%.:_\-@';
 
 
 /*

conf/etc/registry/application/controllers/CLISetup.php

+<?php
+if (!defined('BASEPATH')) {
+    exit('No direct script access allowed');
+}
+/**
+ * ResourceRegistry3
+ * 
+ * @package     RR3
+ * @author      Middleware Team HEAnet 
+ * @copyright   Copyright (c) 2012, HEAnet Limited (http://www.heanet.ie)
+ * @license     MIT http://www.opensource.org/licenses/mit-license.php
+ *  
+ */
+
+/**
+ * Setup CLI Class
+ * 
+ * @package     RR3
+ * @author      Dariusz Janny <janny@man.poznan.pl>
+ */
+
+
+class CLISetup extends MY_Controller {
+
+    protected $em;
+    protected $member_role;
+
+    public function __construct() {
+        parent::__construct();
+        $this->em = $this->doctrine->em;
+        
+
+        $setup_allowed = $this->config->item('rr_setup_allowed');
+        if (!$setup_allowed === TRUE) {
+            //show_error('Setup is disabled', 404);
+        }
+        $this->member_role = null;
+    }
+
+    public function submit($username, $email, $password, $fname, $sname) {
+        if (is_cli()) {
+            /**
+             * add user, system roles, and add user to Administrator role
+             */
+            $this->_populateFirstUser($username, $email, $password,$fname,$sname);
+
+            /**
+             * populate attributes
+             */
+            $this->_populateAttributes();
+            $this->_populateResources();
+            $this->em->flush();
+        }
+    }
+
+    private function _populateResources() {
+        $resources = array(
+            array('name' => 'default', 'parent' => '', 'default' => 'none'),
+            array('name' => 'importer', 'parent' => 'default', 'default' => 'none'),
+            array('name' => 'sp_list', 'parent' => 'default', 'default' => 'read'),
+            array('name' => 'idp_list', 'parent' => 'default', 'default' => 'read'),
+            array('name' => 'dashboard', 'parent' => 'default', 'default' => 'read'),
+            array('name' => 'federation', 'parent' => 'default', 'default' => 'read'),
+            array('name' => 'entity', 'parent' => 'default', 'default' => 'read'),
+            array('name' => 'idp', 'parent' => 'entity', 'default' => 'read'),
+            array('name' => 'sp', 'parent' => 'entity', 'default' => 'read'),
+            array('name' => 'user', 'parent' => 'default', 'default' => 'read'),
+            array('name' => 'password', 'parent' => 'user', 'default' => 'none'),
+        );
+        $parents = array();
+        foreach ($resources as $r) {
+            $r_name = $r['name'];
+            $parent_name = $r['parent'];
+            if (empty($parent_name)) {
+                $res = new models\AclResource;
+                $res->setResource($r['name']);
+                $res->setDefaultValue($r['default']);
+                $parents[$r['name']] = $res;
+            } else {
+
+                $res = new models\AclResource;
+                $res->setResource($r['name']);
+                $res->setDefaultValue($r['default']);
+                $res->setParent($parents[$r['parent']]);
+                $parents[$r['name']] = $res;
+            }
+            $this->em->persist($res);
+            if($r_name == 'dashboard' || $r_name == 'sp_list' || $r_name == 'idp_list' || $r_name == 'entity')
+            {
+                $acl = new models\Acl;
+                $acl->setResource($res);
+                $acl->setRole($this->member_role);
+                $acl->setAction('read');
+                $acl->setAccess(true);
+                $this->em->persist($acl);
+            }
+
+        }
+    }
+
+    private function _populateFirstUser($username, $email, $password, $fname, $sname) {
+
+        $guest_role = new models\AclRole;
+        $guest_role->setName('Guest');
+        $guest_role->setDescription('role with lowest permissions');
+        $guest_role->setType('system');
+        $this->em->persist($guest_role);
+
+        $user_role = new models\AclRole;
+        $user_role->setName('Member');
+        $user_role->setDescription('role with middle permissions');
+        $user_role->setParent($guest_role);
+        $user_role->setType('system');
+        $this->em->persist($user_role);
+        $this->member_role = $user_role;
+
+        $admin_role = new models\AclRole;
+        $admin_role->setName('Administrator');
+        $admin_role->setDescription('role with highest permissions, only resource registry admins may be members of this group');
+        $admin_role->setParent($user_role);
+        $admin_role->setType('system');
+        $this->em->persist($admin_role);
+
+        $user = $this->em->getRepository("models\User")->findOneBy(array('username' => $username));
+        if (empty($user)) {
+            $user = new models\User;
+        }
+        $user->setSalt();
+        $user->setUsername($username);
+        $user->setPassword($password);
+        $user->setEmail($email);
+        $user->setGivenname($fname);
+        $user->setSurname($sname);
+        $user->setLocalEnabled();
+        $user->setFederatedDisabled();
+        $user->setAccepted();
+        $user->setEnabled();
+        $user->setValid();
+        $admin_role->setMember($user);
+        $this->em->persist($user);
+        return true;
+    }
+    
+    private function _populateAttributes() {
+        $attributes = array(
+            array('name' => 'preferredLanguage', 'fullname' => 'Preferred Language', 'oid' => 'urn:oid:2.16.840.1.113730.3.1.39', 'urn' => 'urn:mace:dir:attribute-def:preferredLanguage', 'description' => 'Preferred language: Users preferred language (see RFC1766)'),
+            array('name' => 'email', 'fullname' => 'Email', 'oid' => 'urn:oid:0.9.2342.19200300.100.1.3', 'urn' => 'urn:mace:dir:attribute-def:mail', 'description' => 'E-Mail: Preferred address for e-mail to be sent to this person'),
+            array('name' => 'homePostalAddress', 'fullname' => 'Home postal address', 'oid' => 'urn:oid:0.9.2342.19200300.100.1.39', 'urn' => 'urn:mace:dir:attribute-def:homePostalAddress', 'description' => 'Home postal address: Home address of the user'),
+            array('name' => 'postalAddress', 'fullname' => 'Business postal address', 'oid' => 'urn:oid:2.5.4.16', 'urn' => 'urn:mace:dir:attribute-def:postalAddress', 'description' => 'Business postal address: Campus or office address'),
+            array('name' => 'homePhone', 'fullname' => 'Private phone number', 'oid' => 'urn:oid:0.9.2342.19200300.100.1.20', 'urn' => 'urn:mace:dir:attribute-def:homePhone', 'description' => 'Private phone number'),
+            array('name' => 'telephoneNumber', 'fullname' => 'Business phone number', 'oid' => 'urn:oid:2.5.4.20', 'urn' => 'urn:mace:dir:attribute-def:telephoneNumber', 'description' => 'Business phone number: Office or campus phone number'),
+            array('name' => 'mobile', 'fullname' => 'Mobile phone number', 'oid' => 'urn:oid:0.9.2342.19200300.100.1.41', 'urn' => 'urn:mace:dir:attribute-def:mobile', 'description' => 'Mobile phone number'),
+            array('name' => 'eduPersonAffiliation', 'fullname' => 'Affiliation', 'oid' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.1', 'urn' => 'urn:mace:dir:attribute-def:eduPersonAffiliation', 'description' => 'Affiliation: Type of affiliation with Home Organization'),
+            array('name' => 'eduPersonOrgDN', 'fullname' => 'Organization path', 'oid' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.3', 'urn' => 'urn:mace:dir:attribute-def:eduPersonOrgDN', 'description' => 'Organization path: The distinguished name (DN) of the directory entry representing the organization with which the person is associated'),
+            array('name' => 'eduPersonOrgUnitDN', 'fullname' => 'Organizational unit path', 'oid' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.4', 'urn' => 'urn:mace:dir:attribute-def:eduPersonOrgUnitDN', 'description' => 'Organization unit path: The distinguished name (DN) of the directory entries representing the person\'s Organizational Unit(s)'),
+            array('name' => 'eduPersonEntitlement', 'fullname' => 'Entitlement', 'oid' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.7', 'urn' => 'urn:mace:dir:attribute-def:eduPersonEntitlement', 'description' => 'Member of: URI (either URL or URN) that indicates a set of rights to specific resources based on an agreement ac'),
+            array('name' => 'surname', 'fullname' => 'Surname', 'oid' => 'urn:oid:2.5.4.4', 'urn' => 'urn:mace:dir:attribute-def:sn', 'description' => 'Surname or family name'),
+            array('name' => 'givenName', 'fullname' => 'Given name', 'oid' => 'urn:oid:2.5.4.42', 'urn' => 'urn:mace:dir:attribute-def:givenName', 'description' => 'Given name of a person'),
+            array('name' => 'uid', 'fullname' => 'User ID', 'oid' => 'urn:oid:0.9.2342.19200300.100.1.1', 'urn' => 'urn:mace:dir:attribute-def:uid', 'description' => 'A unique identifier for a person, mainly used for user identification within the user\'s home organization.'),
+            array('name' => 'employeeNumber', 'fullname' => 'Employee number', 'oid' => 'urn:oid:2.16.840.1.113730.3.1.3', 'urn' => 'urn:mace:dir:attribute-def:employeeNumber', 'description' => 'Identifies an employee within an organization'),
+            array('name' => 'ou', 'fullname' => 'Organizational Unit', 'oid' => 'urn:oid:2.5.4.11', 'urn' => 'urn:mace:dir:attribute-def:ou', 'description' => 'OrganizationalUnit currently used for faculty membership of staff at UZH.'),
+            array('name' => 'eduPersonPrincipalName', 'fullname' => 'Principal Name', 'oid' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.6', 'urn' => 'urn:mace:dir:attribute-def:eduPersonPrincipalName', 'description' => 'eduPerson per Internet2 and EDUCAUSE see http://www.nmi-edit.org/eduPerson/draft-internet2-mace'),
+            array('name' => 'eduPersonAssurance', 'fullname' => 'Assurance Level', 'oid' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.11', 'urn' => 'urn:mace:dir:attribute-def:assurance', 'description' => 'Level that describes the confidences that one can have into the asserted identity of the user.'),
+            array('name' => 'transientId', 'fullname' => 'transient nameid for backward compatibility', 'oid' => 'urn:oid:1.2.3.4.5.6.7.8.9.10', 'urn' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient', 'description' => 'The Shibboleth transient ID is a name format that was used to encode eduPersonTargetedID in the past. A limited number of resources outside the Edugate federation still require this format', 'immeta'=>false),
+            array('name' => 'organizationName', 'fullname' => 'Organization Name', 'oid' => 'urn:oid:2.5.4.10', 'urn' => 'urn:mace:dir:attribute-def:o', 'description' => NULL),
+            array('name' => 'eduPersonTargetedID', 'fullname' => 'eduPerson Targeted ID', 'oid' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.10', 'urn' => 'urn:mace:dir:attribute-def:eduPersonTargetedID', 'description' => 'A pseudonomynous ID generated by the IdP that is unique to each SP'),
+            array('name' => 'persistentUID', 'fullname' => 'persistentUID', 'oid' => 'urn:oid:3.6.1.4.1.5923.1.1.1.10', 'urn' => 'urn:mace:eduserv.org.uk:athens:attribute-def:person:1.0:persistentUID', 'description' => 'This is the Athens persistentUID, it has no OID so we re-use the EduPerson PersistenID OID as it is closest'),
+            array('name' => 'eduPersonScopedAffiliation', 'fullname' => 'Affiliation (Scoped)', 'oid' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.9', 'urn' => 'urn:mace:dir:attribute-def:eduPersonScopedAffiliation ', 'description' => 'the affiliation of the user to the organisation concatendated with the domain name of the org (e.g. staff@dcu.ie)'),
+            array('name' => 'persistentId', 'fullname' => 'persistent nameid', 'oid' => 'urn:oid:1.2.3.4.5.6.7.8.9.11', 'urn' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent', 'description' => 'This attribute will appear in the subject section of AuthnRespones, only to be used if the service cannot handle a persistent ID within the attribute section of the AuthnResponse', 'inmeta'=>false),
+            array('name' => 'freebusyurl', 'fullname' => 'freebusyurl', 'oid' => 'urn:oid:1.3.6.1.4.1.250.1.57', 'urn' => 'urn:mace:heanet.ie:attributedef:freebusyurl', 'description' => 'freebusyurl is a url to a user calendar in caldav format'),
+            array('name' => 'sAMAccountName', 'fullname' => 'sAMAccountName', 'oid' => 'urn:oid:1.2.840.113556.1.4.221', 'urn' => 'urn:oid:1.2.840.113556.1.4.221', 'description' => 'sAMAccountName from Active Directory')
+        );
+
+        $i = 0;
+        foreach ($attributes as $attr) {
+            $at[$i] = new models\Attribute;
+            $at[$i]->setName($attr['name']);
+            $at[$i]->setFullname($attr['fullname']);
+            $at[$i]->setOid($attr['oid']);
+            $at[$i]->setUrn($attr['urn']);
+            $at[$i]->setDescription($attr['description']);
+            if(array_key_exists('inmeta',$attr)){
+                $at[$i]->setShowInmetadata($attr['inmeta']);
+            }
+            else {
+                $at[$i]->setShowInmetadata(true);
+            }
+            $i++;
+        }
+        foreach ($at as $key) {
+            $this->em->persist($key);
+        }
+        return true;
+    }
+
+}

conf/faas-registry.cnf

@@ -9,7 +9,7 @@ FAAS_REGISTRY_BASE_URL=http://localhost:9080
 FAAS_REGISTRY_COOKIE_SECURE=FALSE
 FAAS_REGISTRY_TIMEZONE=Europe/Warsaw
 
-FAAS_REGISTRY_RR_SETUP_ALLOWED=TRUE
+FAAS_REGISTRY_RR_SETUP_ALLOWED=FALSE
 FAAS_REGISTRY_RR_SUPPORT_MAILTO=janny@man.poznan.pl
 
 FAAS_REGISTRY_DB_HOSTNAME=faas_db
@@ -17,4 +17,9 @@ FAAS_REGISTRY_DB_USERNAME=rr3_user
 FAAS_REGISTRY_DB_NAME=rr3_db
 
 FAAS_REGISTRY_RR_MAIL_USER=postfix
-FAAS_REGISTRY_RR_MAIL_FROM=janny@man.poznan.pl
\ No newline at end of file
+FAAS_REGISTRY_RR_MAIL_FROM=janny@man.poznan.pl
+
+FAAS_REGISTRY_RR_FIRSTUSER_USERNAME=admin
+FAAS_REGISTRY_RR_FIRSTUSER_EMAIL=janny@man.poznan.pl
+FAAS_REGISTRY_RR_FIRSTUSER_FNAME=John
+FAAS_REGISTRY_RR_FIRSTUSER_SNAME=Doe