-
Notifications
You must be signed in to change notification settings - Fork 0
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
NOJIRA - update testbeds to Shibboleth 5.1.3
- Loading branch information
Showing
57 changed files
with
5,747 additions
and
69 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,91 @@ | ||
| FROM ubuntu:20.04 as install | ||
|
|
||
| ARG IDP_VERSION=5.1.3 | ||
| ARG SHIBUI_VERSION=2.0.5 | ||
| ARG TOMCAT_VERSION=10.1.28 | ||
| ARG JSTL_VERSION=2.0.0 | ||
|
|
||
| COPY keys/corretto.key /tmp/corretto.key | ||
| COPY keys/SHIB_PGP_KEYS /tmp/SHIB_PGP_KEYS | ||
| COPY keys/TOMCAT_PGP_KEYS /tmp/TOMCAT_PGP_KEYS | ||
|
|
||
| RUN apt update \ | ||
| && apt install -y gnupg software-properties-common curl gnupg rsyslog rsyslog-relp rsyslog-gnutls\ | ||
| && gpg --import /tmp/SHIB_PGP_KEYS \ | ||
| && gpg --import /tmp/TOMCAT_PGP_KEYS | ||
|
|
||
| RUN apt-key add /tmp/corretto.key \ | ||
| && add-apt-repository 'deb https://apt.corretto.aws stable main' \ | ||
| && apt update \ | ||
| && apt install -y java-17-amazon-corretto-jdk | ||
|
|
||
| RUN apt install -y python3-pip \ | ||
| && python3 -m pip install --upgrade pip \ | ||
| && python3 -m pip install awscli \ | ||
| && python3 -m pip install supervisor | ||
|
|
||
| RUN curl https://shibboleth.net/downloads/identity-provider/$IDP_VERSION/shibboleth-identity-provider-$IDP_VERSION.tar.gz -o shibboleth-identity-provider-$IDP_VERSION.tar.gz \ | ||
| && curl https://shibboleth.net/downloads/identity-provider/$IDP_VERSION/shibboleth-identity-provider-$IDP_VERSION.tar.gz.asc -o shibboleth-identity-provider-$IDP_VERSION.tar.gz.asc \ | ||
| && gpg --verify shibboleth-identity-provider-$IDP_VERSION.tar.gz.asc shibboleth-identity-provider-$IDP_VERSION.tar.gz \ | ||
| && tar -zxvf shibboleth-identity-provider-$IDP_VERSION.tar.gz -C /opt \ | ||
| && /opt/shibboleth-identity-provider-$IDP_VERSION/bin/install.sh \ | ||
| --noPrompt \ | ||
| --sealerPassword password \ | ||
| --targetDir /opt/shibboleth-idp \ | ||
| --hostName hostname.com \ | ||
| --entityID http://hostname.com/idp \ | ||
| --keystorePassword password \ | ||
| --scope scope | ||
|
|
||
| RUN curl -L https://archive.apache.org/dist/tomcat/tomcat-10/v$TOMCAT_VERSION/bin/apache-tomcat-$TOMCAT_VERSION.tar.gz -o apache-tomcat-$TOMCAT_VERSION.tar.gz \ | ||
| && curl https://archive.apache.org/dist/tomcat/tomcat-10/v$TOMCAT_VERSION/bin/apache-tomcat-$TOMCAT_VERSION.tar.gz.asc -o apache-tomcat-$TOMCAT_VERSION.tar.gz.asc \ | ||
| && gpg --verify apache-tomcat-$TOMCAT_VERSION.tar.gz.asc apache-tomcat-$TOMCAT_VERSION.tar.gz \ | ||
| && tar -zxvf apache-tomcat-$TOMCAT_VERSION.tar.gz -C /opt \ | ||
| && rm apache-tomcat-$TOMCAT_VERSION.tar.gz \ | ||
| && mv /opt/apache-tomcat-$TOMCAT_VERSION/ /opt/tomcat \ | ||
| && rm -rf /opt/tomcat/webapps/ | ||
|
|
||
| #JSTL is needed for the idp status page | ||
| RUN mkdir -p /opt/shibboleth-idp/edit-webapp/WEB-INF/lib/ | ||
|
|
||
| RUN jstl_hash="377ec3878354cb2c1f96f99031728773c8e2603b"; \ | ||
| curl -L https://repo1.maven.org/maven2/org/glassfish/web/jakarta.servlet.jsp.jstl/$JSTL_VERSION/jakarta.servlet.jsp.jstl-$JSTL_VERSION.jar -o jakarta.servlet.jsp.jstl-$JSTL_VERSION.jar \ | ||
| && echo "$jstl_hash jakarta.servlet.jsp.jstl-$JSTL_VERSION.jar" | sha1sum -c - \ | ||
| && mv jakarta.servlet.jsp.jstl-$JSTL_VERSION.jar /opt/shibboleth-idp/edit-webapp/WEB-INF/lib/ | ||
|
|
||
| RUN jstl_api_hash="80e6440f16ae9e26e99f3c25cd31b41b477188ad"; \ | ||
| curl -L https://repo1.maven.org/maven2/jakarta/servlet/jsp/jstl/jakarta.servlet.jsp.jstl-api/$JSTL_VERSION/jakarta.servlet.jsp.jstl-api-$JSTL_VERSION.jar -o jakarta.servlet.jsp.jstl-api-$JSTL_VERSION.jar \ | ||
| && echo "$jstl_api_hash jakarta.servlet.jsp.jstl-api-$JSTL_VERSION.jar" | sha1sum -c - \ | ||
| && mv jakarta.servlet.jsp.jstl-api-$JSTL_VERSION.jar /opt/shibboleth-idp/edit-webapp/WEB-INF/lib/ | ||
|
|
||
| RUN useradd tomcat -U -s /bin/false | ||
| RUN adduser syslog tomcat | ||
|
|
||
| COPY conf/supervisord.conf /usr/local/etc/ | ||
| COPY conf/shibui/ /opt/shibui/ | ||
| COPY conf/shibboleth-idp/ /opt/shibboleth-idp/ | ||
| COPY conf/tomcat/ /opt/tomcat/ | ||
| COPY usr-local-bin/ /usr/local/bin/ | ||
|
|
||
| #Enable ShibUI. | ||
| RUN mkdir /opt/tomcat/webapps | ||
| RUN curl -o /opt/tomcat/webapps/shibui.war -L https://github.internet2.edu/TIER/shib-idp-ui/releases/download/v$SHIBUI_VERSION/shibui-$SHIBUI_VERSION.war | ||
| RUN mkdir -p /opt/shibboleth-idp/metadata/dynamic \ | ||
| && mkdir -p /opt/shibboleth-idp/conf/dynamic \ | ||
| && mkdir -p /opt/shibui | ||
|
|
||
| RUN chmod 750 /usr/local/bin/run-tomcat.sh \ | ||
| && chown -R root:tomcat /opt \ | ||
| && chmod -R o-rwx /opt \ | ||
| && chmod 750 /opt/tomcat/bin/catalina.sh \ | ||
| && chmod -R 750 /opt/shibboleth-idp/bin \ | ||
| && chmod 750 /opt/shibboleth-idp/bin/*.sh \ | ||
| && chown -R root:tomcat /opt/shibboleth-idp/metadata/ | ||
|
|
||
| EXPOSE 8443 | ||
|
|
||
| ENV JAVA_HOME=/usr | ||
| ENV LANG C.UTF-8 | ||
| ENV LC_ALL C.UTF-8 | ||
|
|
||
| ENTRYPOINT ["/usr/local/bin/supervisord"] |
166 changes: 166 additions & 0 deletions
166
testbed/external-tomcat/conf/shibboleth-idp/conf/attribute-filter.xml
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,166 @@ | ||
| <?xml version="1.0" encoding="UTF-8"?> | ||
| <!-- | ||
| This file is an EXAMPLE policy file. While the policy presented in this | ||
| example file is illustrative of some simple cases, it relies on the names of | ||
| non-existent example services and the example attributes demonstrated in the | ||
| default attribute-resolver.xml file. | ||
| This example does contain some usable "general purpose" policies that may be | ||
| useful in conjunction with specific deployment choices, but those policies may | ||
| not be applicable to your specific needs or constraints. | ||
| --> | ||
| <AttributeFilterPolicyGroup id="ShibbolethFilterPolicy" | ||
| xmlns="urn:mace:shibboleth:2.0:afp" | ||
| xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" | ||
| xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd"> | ||
|
|
||
| <!-- | ||
| Example rule relying on a locally applied tag in metadata to trigger attribute | ||
| release of some specific attributes. Add additional attributes as desired. | ||
| --> | ||
| <!-- | ||
| <AttributeFilterPolicy id="Per-Attribute-singleValued"> | ||
| <PolicyRequirementRule xsi:type="ANY" /> | ||
| <AttributeRule attributeID="eduPersonPrincipalName"> | ||
| <PermitValueRule xsi:type="EntityAttributeExactMatch" | ||
| attributeName="http://shibboleth.net/ns/attributes/releaseAllValues" | ||
| attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" | ||
| attributeValue="eduPersonPrincipalName" /> | ||
| </AttributeRule> | ||
| <AttributeRule attributeID="mail"> | ||
| <PermitValueRule xsi:type="EntityAttributeExactMatch" | ||
| attributeName="http://shibboleth.net/ns/attributes/releaseAllValues" | ||
| attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" | ||
| attributeValue="mail" /> | ||
| </AttributeRule> | ||
| </AttributeFilterPolicy> | ||
| --> | ||
|
|
||
| <!-- | ||
| Same as above but more efficient form for an attribute with multiple values. | ||
| --> | ||
| <!-- | ||
| <AttributeFilterPolicy id="Per-Attribute-Affiliation"> | ||
| <PolicyRequirementRule xsi:type="EntityAttributeExactMatch" | ||
| attributeName="http://shibboleth.net/ns/attributes/releaseAllValues" | ||
| attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" | ||
| attributeValue="eduPersonScopedAffiliation" /> | ||
| <AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true" /> | ||
| </AttributeFilterPolicy> | ||
| --> | ||
|
|
||
| <!-- | ||
| Example rule for honoring Subject ID requirement tag in metadata. | ||
| The example supplies pairwise-id if subject-id isn't explicitly required. | ||
| --> | ||
| <!-- | ||
| <AttributeFilterPolicy id="subject-identifiers"> | ||
| <PolicyRequirementRule xsi:type="ANY" /> | ||
| <AttributeRule attributeID="samlPairwiseID"> | ||
| <PermitValueRule xsi:type="OR"> | ||
| <Rule xsi:type="EntityAttributeExactMatch" | ||
| attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req" | ||
| attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" | ||
| attributeValue="pairwise-id" /> | ||
| <Rule xsi:type="EntityAttributeExactMatch" | ||
| attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req" | ||
| attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" | ||
| attributeValue="any" /> | ||
| </PermitValueRule> | ||
| </AttributeRule> | ||
| <AttributeRule attributeID="samlSubjectID"> | ||
| <PermitValueRule xsi:type="EntityAttributeExactMatch" | ||
| attributeName="urn:oasis:names:tc:SAML:profiles:subject-id:req" | ||
| attributeNameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:uri" | ||
| attributeValue="subject-id" /> | ||
| </AttributeRule> | ||
| </AttributeFilterPolicy> | ||
| --> | ||
|
|
||
| <!-- Release an additional attribute to an SP. --> | ||
| <!-- | ||
| <AttributeFilterPolicy id="example1"> | ||
| <PolicyRequirementRule xsi:type="Requester" value="https://sp.example.org" /> | ||
| <AttributeRule attributeID="uid" permitAny="true" /> | ||
| </AttributeFilterPolicy> | ||
| --> | ||
|
|
||
| <!-- Release eduPersonScopedAffiliation to two specific SPs. --> | ||
| <!-- | ||
| <AttributeFilterPolicy id="example2"> | ||
| <PolicyRequirementRule xsi:type="OR"> | ||
| <Rule xsi:type="Requester" value="https://sp.example.org" /> | ||
| <Rule xsi:type="Requester" value="https://another.example.org/shibboleth" /> | ||
| </PolicyRequirementRule> | ||
| <AttributeRule attributeID="eduPersonScopedAffiliation" permitAny="true" /> | ||
| </AttributeFilterPolicy> | ||
| --> | ||
| <AttributeFilterPolicy> | ||
| <PolicyRequirementRule xsi:type="Requester" value="https://unicon.net/test/shibui"/> | ||
| <AttributeRule attributeID="uid"> | ||
| <PermitValueRule xsi:type="ANY" /> | ||
| </AttributeRule> | ||
| </AttributeFilterPolicy> | ||
|
|
||
| <!-- release some attributes to everyone. this is the R&S bundle --> | ||
| <AttributeFilterPolicy id="releaseRandSAttributeBundle"> | ||
| <PolicyRequirementRule xsi:type="ANY" /> | ||
| <AttributeRule attributeID="eduPersonPrincipalName"> | ||
| <PermitValueRule xsi:type="ANY" /> | ||
| </AttributeRule> | ||
| <AttributeRule attributeID="eduPersonScopedAffiliation"> | ||
| <PermitValueRule xsi:type="ANY" /> | ||
| </AttributeRule> | ||
| <AttributeRule attributeID="givenName"> | ||
| <PermitValueRule xsi:type="ANY" /> | ||
| </AttributeRule> | ||
| <AttributeRule attributeID="surname"> | ||
| <PermitValueRule xsi:type="ANY" /> | ||
| </AttributeRule> | ||
| <AttributeRule attributeID="displayName"> | ||
| <PermitValueRule xsi:type="ANY" /> | ||
| </AttributeRule> | ||
| <AttributeRule attributeID="mail"> | ||
| <PermitValueRule xsi:type="ANY" /> | ||
| </AttributeRule> | ||
| <AttributeRule attributeID="eduPersonEntitlement"> | ||
| <PermitValueRule xsi:type="ANY" /> | ||
| </AttributeRule> | ||
| <AttributeRule attributeID="businessCategory"> | ||
| <PermitValueRule xsi:type="ANY" /> | ||
| </AttributeRule> | ||
| </AttributeFilterPolicy> | ||
|
|
||
| <!-- Attribute release for all InCommon SPs --> | ||
| <AttributeFilterPolicy id="releaseToInCommon"> | ||
| <PolicyRequirementRule xsi:type="EntityAttributeExactMatch" | ||
| attributeName="http://macedir.org/entity-category" | ||
| attributeValue="http://id.incommon.org/category/registered-by-incommon"/> | ||
| <AttributeRule attributeID="eduPersonPrincipalName"> | ||
| <PermitValueRule xsi:type="ANY" /> | ||
| </AttributeRule> | ||
| <AttributeRule attributeID="eduPersonScopedAffiliation"> | ||
| <PermitValueRule xsi:type="ANY" /> | ||
| </AttributeRule> | ||
| <AttributeRule attributeID="givenName"> | ||
| <PermitValueRule xsi:type="ANY" /> | ||
| </AttributeRule> | ||
| <AttributeRule attributeID="surname"> | ||
| <PermitValueRule xsi:type="ANY" /> | ||
| </AttributeRule> | ||
| <AttributeRule attributeID="displayName"> | ||
| <PermitValueRule xsi:type="ANY" /> | ||
| </AttributeRule> | ||
| <AttributeRule attributeID="mail"> | ||
| <PermitValueRule xsi:type="ANY" /> | ||
| </AttributeRule> | ||
| </AttributeFilterPolicy> | ||
|
|
||
|
|
||
| </AttributeFilterPolicyGroup> |
Oops, something went wrong.