diff --git a/Dockerfile b/Dockerfile
index e5cb9d3e5e2bb2fe9ab9d15c0b4f4d992b0de164..919c5605b2a968ee82738dc4c11072046837c136 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -9,9 +9,10 @@ RUN echo $FAAS_REGISTRY_NAME > /faas-docker-name
RUN echo $FAAS_REGISTRY_VERSION > /faas-docker-version
RUN apt-get -q update && \
- apt-get install -y memcached apache2 python3-pip composer git mc wget gearman-tools gearman && \
+ apt-get install -y apache2 python3-pip composer gearman-tools gearman && \
+ apt-get install -y composer gearman gearman-tools python3-pip && \
apt-get install -y php php-common php7.4-opcache php-gd php-curl php-intl php-mbstring php-xmlrpc php-mysql php-soap php-bcmath php-zip php-memcached php-apcu php-cli php-xml php-gearman libapache2-mod-php && \
- apt-get install -y mariadb-client && \
+ apt-get install -y mariadb-client git mc memcached wget && \
apt-get -y autoremove && \
apt-get -y clean
@@ -54,4 +55,6 @@ COPY ./conf/etc/apache2/sites-available/000-default.conf /etc/apache2/sites-avai
COPY ./conf/etc/supervisord.conf /etc/supervisord.conf
COPY ./conf/etc/entrypoint /etc/entrypoint
+COPY ./conf/etc/registry/application/controllers/CLISetup.php /opt/rr3/application/controllers/CLISetup.php
+
ENTRYPOINT ["/etc/entrypoint"]
\ No newline at end of file
diff --git a/conf/credentials/faas-registry-default.cnf b/conf/credentials/faas-registry-default.cnf
index 5bd62493f5ce3c94c5f38cdf858dc71797ab5c22..28aff77d320beae8f9e6c081c5b27ea4f6ef5a26 100644
--- a/conf/credentials/faas-registry-default.cnf
+++ b/conf/credentials/faas-registry-default.cnf
@@ -1,4 +1,5 @@
MYSQL_ROOT_PASSWORD=changeme
FAAS_REGISTRY_DB_PASSWORD=changeme
FAAS_REGISTRY_RR_SYNCPASS=changeme
-FAAS_REGISTRY_RR_MAIL_PASS=
\ No newline at end of file
+FAAS_REGISTRY_RR_MAIL_PASS=
+FAAS_REGISTRY_RR_FIRSTUSER_PASSWORD=changeme
diff --git a/conf/etc/registry/application/config/config.php b/conf/etc/registry/application/config/config.php
index 821e76add024b8f018d225c37caf04adaaec8956..60f765f411c89386b72650a6ac01f641aa1fae2a 100644
--- a/conf/etc/registry/application/config/config.php
+++ b/conf/etc/registry/application/config/config.php
@@ -126,7 +126,7 @@ $config['subclass_prefix'] = 'MY_';
| DO NOT CHANGE THIS UNLESS YOU FULLY UNDERSTAND THE REPERCUSSIONS!!
|
*/
-$config['permitted_uri_chars'] = 'a-z 0-9~%.:_\-';
+$config['permitted_uri_chars'] = 'a-z 0-9~%.:_\-@';
/*
diff --git a/conf/etc/registry/application/controllers/CLISetup.php b/conf/etc/registry/application/controllers/CLISetup.php
new file mode 100644
index 0000000000000000000000000000000000000000..aec34b79a6618d36b2aef9c001eacc83c52d0daf
--- /dev/null
+++ b/conf/etc/registry/application/controllers/CLISetup.php
@@ -0,0 +1,196 @@
+<?php
+if (!defined('BASEPATH')) {
+ exit('No direct script access allowed');
+}
+/**
+ * ResourceRegistry3
+ *
+ * @package RR3
+ * @author Middleware Team HEAnet
+ * @copyright Copyright (c) 2012, HEAnet Limited (http://www.heanet.ie)
+ * @license MIT http://www.opensource.org/licenses/mit-license.php
+ *
+ */
+
+/**
+ * Setup CLI Class
+ *
+ * @package RR3
+ * @author Dariusz Janny <janny@man.poznan.pl>
+ */
+
+
+class CLISetup extends MY_Controller {
+
+ protected $em;
+ protected $member_role;
+
+ public function __construct() {
+ parent::__construct();
+ $this->em = $this->doctrine->em;
+
+
+ $setup_allowed = $this->config->item('rr_setup_allowed');
+ if (!$setup_allowed === TRUE) {
+ //show_error('Setup is disabled', 404);
+ }
+ $this->member_role = null;
+ }
+
+ public function submit($username, $email, $password, $fname, $sname) {
+ if (is_cli()) {
+ /**
+ * add user, system roles, and add user to Administrator role
+ */
+ $this->_populateFirstUser($username, $email, $password,$fname,$sname);
+
+ /**
+ * populate attributes
+ */
+ $this->_populateAttributes();
+ $this->_populateResources();
+ $this->em->flush();
+ }
+ }
+
+ private function _populateResources() {
+ $resources = array(
+ array('name' => 'default', 'parent' => '', 'default' => 'none'),
+ array('name' => 'importer', 'parent' => 'default', 'default' => 'none'),
+ array('name' => 'sp_list', 'parent' => 'default', 'default' => 'read'),
+ array('name' => 'idp_list', 'parent' => 'default', 'default' => 'read'),
+ array('name' => 'dashboard', 'parent' => 'default', 'default' => 'read'),
+ array('name' => 'federation', 'parent' => 'default', 'default' => 'read'),
+ array('name' => 'entity', 'parent' => 'default', 'default' => 'read'),
+ array('name' => 'idp', 'parent' => 'entity', 'default' => 'read'),
+ array('name' => 'sp', 'parent' => 'entity', 'default' => 'read'),
+ array('name' => 'user', 'parent' => 'default', 'default' => 'read'),
+ array('name' => 'password', 'parent' => 'user', 'default' => 'none'),
+ );
+ $parents = array();
+ foreach ($resources as $r) {
+ $r_name = $r['name'];
+ $parent_name = $r['parent'];
+ if (empty($parent_name)) {
+ $res = new models\AclResource;
+ $res->setResource($r['name']);
+ $res->setDefaultValue($r['default']);
+ $parents[$r['name']] = $res;
+ } else {
+
+ $res = new models\AclResource;
+ $res->setResource($r['name']);
+ $res->setDefaultValue($r['default']);
+ $res->setParent($parents[$r['parent']]);
+ $parents[$r['name']] = $res;
+ }
+ $this->em->persist($res);
+ if($r_name == 'dashboard' || $r_name == 'sp_list' || $r_name == 'idp_list' || $r_name == 'entity')
+ {
+ $acl = new models\Acl;
+ $acl->setResource($res);
+ $acl->setRole($this->member_role);
+ $acl->setAction('read');
+ $acl->setAccess(true);
+ $this->em->persist($acl);
+ }
+
+ }
+ }
+
+ private function _populateFirstUser($username, $email, $password, $fname, $sname) {
+
+ $guest_role = new models\AclRole;
+ $guest_role->setName('Guest');
+ $guest_role->setDescription('role with lowest permissions');
+ $guest_role->setType('system');
+ $this->em->persist($guest_role);
+
+ $user_role = new models\AclRole;
+ $user_role->setName('Member');
+ $user_role->setDescription('role with middle permissions');
+ $user_role->setParent($guest_role);
+ $user_role->setType('system');
+ $this->em->persist($user_role);
+ $this->member_role = $user_role;
+
+ $admin_role = new models\AclRole;
+ $admin_role->setName('Administrator');
+ $admin_role->setDescription('role with highest permissions, only resource registry admins may be members of this group');
+ $admin_role->setParent($user_role);
+ $admin_role->setType('system');
+ $this->em->persist($admin_role);
+
+ $user = $this->em->getRepository("models\User")->findOneBy(array('username' => $username));
+ if (empty($user)) {
+ $user = new models\User;
+ }
+ $user->setSalt();
+ $user->setUsername($username);
+ $user->setPassword($password);
+ $user->setEmail($email);
+ $user->setGivenname($fname);
+ $user->setSurname($sname);
+ $user->setLocalEnabled();
+ $user->setFederatedDisabled();
+ $user->setAccepted();
+ $user->setEnabled();
+ $user->setValid();
+ $admin_role->setMember($user);
+ $this->em->persist($user);
+ return true;
+ }
+
+ private function _populateAttributes() {
+ $attributes = array(
+ array('name' => 'preferredLanguage', 'fullname' => 'Preferred Language', 'oid' => 'urn:oid:2.16.840.1.113730.3.1.39', 'urn' => 'urn:mace:dir:attribute-def:preferredLanguage', 'description' => 'Preferred language: Users preferred language (see RFC1766)'),
+ array('name' => 'email', 'fullname' => 'Email', 'oid' => 'urn:oid:0.9.2342.19200300.100.1.3', 'urn' => 'urn:mace:dir:attribute-def:mail', 'description' => 'E-Mail: Preferred address for e-mail to be sent to this person'),
+ array('name' => 'homePostalAddress', 'fullname' => 'Home postal address', 'oid' => 'urn:oid:0.9.2342.19200300.100.1.39', 'urn' => 'urn:mace:dir:attribute-def:homePostalAddress', 'description' => 'Home postal address: Home address of the user'),
+ array('name' => 'postalAddress', 'fullname' => 'Business postal address', 'oid' => 'urn:oid:2.5.4.16', 'urn' => 'urn:mace:dir:attribute-def:postalAddress', 'description' => 'Business postal address: Campus or office address'),
+ array('name' => 'homePhone', 'fullname' => 'Private phone number', 'oid' => 'urn:oid:0.9.2342.19200300.100.1.20', 'urn' => 'urn:mace:dir:attribute-def:homePhone', 'description' => 'Private phone number'),
+ array('name' => 'telephoneNumber', 'fullname' => 'Business phone number', 'oid' => 'urn:oid:2.5.4.20', 'urn' => 'urn:mace:dir:attribute-def:telephoneNumber', 'description' => 'Business phone number: Office or campus phone number'),
+ array('name' => 'mobile', 'fullname' => 'Mobile phone number', 'oid' => 'urn:oid:0.9.2342.19200300.100.1.41', 'urn' => 'urn:mace:dir:attribute-def:mobile', 'description' => 'Mobile phone number'),
+ array('name' => 'eduPersonAffiliation', 'fullname' => 'Affiliation', 'oid' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.1', 'urn' => 'urn:mace:dir:attribute-def:eduPersonAffiliation', 'description' => 'Affiliation: Type of affiliation with Home Organization'),
+ array('name' => 'eduPersonOrgDN', 'fullname' => 'Organization path', 'oid' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.3', 'urn' => 'urn:mace:dir:attribute-def:eduPersonOrgDN', 'description' => 'Organization path: The distinguished name (DN) of the directory entry representing the organization with which the person is associated'),
+ array('name' => 'eduPersonOrgUnitDN', 'fullname' => 'Organizational unit path', 'oid' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.4', 'urn' => 'urn:mace:dir:attribute-def:eduPersonOrgUnitDN', 'description' => 'Organization unit path: The distinguished name (DN) of the directory entries representing the person\'s Organizational Unit(s)'),
+ array('name' => 'eduPersonEntitlement', 'fullname' => 'Entitlement', 'oid' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.7', 'urn' => 'urn:mace:dir:attribute-def:eduPersonEntitlement', 'description' => 'Member of: URI (either URL or URN) that indicates a set of rights to specific resources based on an agreement ac'),
+ array('name' => 'surname', 'fullname' => 'Surname', 'oid' => 'urn:oid:2.5.4.4', 'urn' => 'urn:mace:dir:attribute-def:sn', 'description' => 'Surname or family name'),
+ array('name' => 'givenName', 'fullname' => 'Given name', 'oid' => 'urn:oid:2.5.4.42', 'urn' => 'urn:mace:dir:attribute-def:givenName', 'description' => 'Given name of a person'),
+ array('name' => 'uid', 'fullname' => 'User ID', 'oid' => 'urn:oid:0.9.2342.19200300.100.1.1', 'urn' => 'urn:mace:dir:attribute-def:uid', 'description' => 'A unique identifier for a person, mainly used for user identification within the user\'s home organization.'),
+ array('name' => 'employeeNumber', 'fullname' => 'Employee number', 'oid' => 'urn:oid:2.16.840.1.113730.3.1.3', 'urn' => 'urn:mace:dir:attribute-def:employeeNumber', 'description' => 'Identifies an employee within an organization'),
+ array('name' => 'ou', 'fullname' => 'Organizational Unit', 'oid' => 'urn:oid:2.5.4.11', 'urn' => 'urn:mace:dir:attribute-def:ou', 'description' => 'OrganizationalUnit currently used for faculty membership of staff at UZH.'),
+ array('name' => 'eduPersonPrincipalName', 'fullname' => 'Principal Name', 'oid' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.6', 'urn' => 'urn:mace:dir:attribute-def:eduPersonPrincipalName', 'description' => 'eduPerson per Internet2 and EDUCAUSE see http://www.nmi-edit.org/eduPerson/draft-internet2-mace'),
+ array('name' => 'eduPersonAssurance', 'fullname' => 'Assurance Level', 'oid' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.11', 'urn' => 'urn:mace:dir:attribute-def:assurance', 'description' => 'Level that describes the confidences that one can have into the asserted identity of the user.'),
+ array('name' => 'transientId', 'fullname' => 'transient nameid for backward compatibility', 'oid' => 'urn:oid:1.2.3.4.5.6.7.8.9.10', 'urn' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:transient', 'description' => 'The Shibboleth transient ID is a name format that was used to encode eduPersonTargetedID in the past. A limited number of resources outside the Edugate federation still require this format', 'immeta'=>false),
+ array('name' => 'organizationName', 'fullname' => 'Organization Name', 'oid' => 'urn:oid:2.5.4.10', 'urn' => 'urn:mace:dir:attribute-def:o', 'description' => NULL),
+ array('name' => 'eduPersonTargetedID', 'fullname' => 'eduPerson Targeted ID', 'oid' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.10', 'urn' => 'urn:mace:dir:attribute-def:eduPersonTargetedID', 'description' => 'A pseudonomynous ID generated by the IdP that is unique to each SP'),
+ array('name' => 'persistentUID', 'fullname' => 'persistentUID', 'oid' => 'urn:oid:3.6.1.4.1.5923.1.1.1.10', 'urn' => 'urn:mace:eduserv.org.uk:athens:attribute-def:person:1.0:persistentUID', 'description' => 'This is the Athens persistentUID, it has no OID so we re-use the EduPerson PersistenID OID as it is closest'),
+ array('name' => 'eduPersonScopedAffiliation', 'fullname' => 'Affiliation (Scoped)', 'oid' => 'urn:oid:1.3.6.1.4.1.5923.1.1.1.9', 'urn' => 'urn:mace:dir:attribute-def:eduPersonScopedAffiliation ', 'description' => 'the affiliation of the user to the organisation concatendated with the domain name of the org (e.g. staff@dcu.ie)'),
+ array('name' => 'persistentId', 'fullname' => 'persistent nameid', 'oid' => 'urn:oid:1.2.3.4.5.6.7.8.9.11', 'urn' => 'urn:oasis:names:tc:SAML:2.0:nameid-format:persistent', 'description' => 'This attribute will appear in the subject section of AuthnRespones, only to be used if the service cannot handle a persistent ID within the attribute section of the AuthnResponse', 'inmeta'=>false),
+ array('name' => 'freebusyurl', 'fullname' => 'freebusyurl', 'oid' => 'urn:oid:1.3.6.1.4.1.250.1.57', 'urn' => 'urn:mace:heanet.ie:attributedef:freebusyurl', 'description' => 'freebusyurl is a url to a user calendar in caldav format'),
+ array('name' => 'sAMAccountName', 'fullname' => 'sAMAccountName', 'oid' => 'urn:oid:1.2.840.113556.1.4.221', 'urn' => 'urn:oid:1.2.840.113556.1.4.221', 'description' => 'sAMAccountName from Active Directory')
+ );
+
+ $i = 0;
+ foreach ($attributes as $attr) {
+ $at[$i] = new models\Attribute;
+ $at[$i]->setName($attr['name']);
+ $at[$i]->setFullname($attr['fullname']);
+ $at[$i]->setOid($attr['oid']);
+ $at[$i]->setUrn($attr['urn']);
+ $at[$i]->setDescription($attr['description']);
+ if(array_key_exists('inmeta',$attr)){
+ $at[$i]->setShowInmetadata($attr['inmeta']);
+ }
+ else {
+ $at[$i]->setShowInmetadata(true);
+ }
+ $i++;
+ }
+ foreach ($at as $key) {
+ $this->em->persist($key);
+ }
+ return true;
+ }
+
+}
diff --git a/conf/faas-registry.cnf b/conf/faas-registry.cnf
index b14cd145cdc67025ab66f81561d127620d8e2473..0f3c7a115df82babd033b2e91dca39d691d8b935 100644
--- a/conf/faas-registry.cnf
+++ b/conf/faas-registry.cnf
@@ -9,7 +9,7 @@ FAAS_REGISTRY_BASE_URL=http://localhost:9080
FAAS_REGISTRY_COOKIE_SECURE=FALSE
FAAS_REGISTRY_TIMEZONE=Europe/Warsaw
-FAAS_REGISTRY_RR_SETUP_ALLOWED=TRUE
+FAAS_REGISTRY_RR_SETUP_ALLOWED=FALSE
FAAS_REGISTRY_RR_SUPPORT_MAILTO=janny@man.poznan.pl
FAAS_REGISTRY_DB_HOSTNAME=faas_db
@@ -17,4 +17,9 @@ FAAS_REGISTRY_DB_USERNAME=rr3_user
FAAS_REGISTRY_DB_NAME=rr3_db
FAAS_REGISTRY_RR_MAIL_USER=postfix
-FAAS_REGISTRY_RR_MAIL_FROM=janny@man.poznan.pl
\ No newline at end of file
+FAAS_REGISTRY_RR_MAIL_FROM=janny@man.poznan.pl
+
+FAAS_REGISTRY_RR_FIRSTUSER_USERNAME=admin
+FAAS_REGISTRY_RR_FIRSTUSER_EMAIL=janny@man.poznan.pl
+FAAS_REGISTRY_RR_FIRSTUSER_FNAME=John
+FAAS_REGISTRY_RR_FIRSTUSER_SNAME=Doe