000-comanage.conf

@@ -18,51 +18,30 @@
 # limitations under the License.
 
 Listen 443
-ServerName %%SERVER_NAME%%
+ServerName ${COMANAGE_REGISTRY_VIRTUAL_HOST_FQDN}
 PassEnv ENV
 PassEnv USERTOKEN
 
-<VirtualHost *:80>
-ServerName http://%%SERVER_NAME%%:80
-RewriteEngine On
-RewriteCond %{HTTPS} off
-RewriteRule ^ https://%{HTTP_HOST}:443%{REQUEST_URI} [R=302,L,QSA]
-</VirtualHost>
+Include apache-include-virtual-host-port80-redirect
 
 <VirtualHost *:443>
 
-ServerName https://%%SERVER_NAME%%:443
+Include apache-include-virtual-host-port443-base
+
+SSLCertificateFile /etc/httpd/cert.pem
+SSLCertificateKeyFile /etc/httpd/privkey.pem
 
 PassEnv ENV
 PassEnv USERTOKEN
 
-DocumentRoot /var/www/html
-
-RedirectMatch ^/$ /registry/
-
 ErrorLogFormat "httpd;ssl_error_log;%{ENV}e;%{USERTOKEN}e;[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i"
 ErrorLog /tmp/logpipe
 LogLevel warn
 
 LogFormat "httpd;ssl_access_log;%{ENV}e;%{USERTOKEN}e;%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" ssl_combined
 CustomLog /tmp/logpipe ssl_combined
 
-Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
-
-SSLEngine on
-SSLProtocol all -SSLv2 -SSLv3
-SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
-SSLHonorCipherOrder on
-
-SSLCertificateFile /etc/httpd/cert.pem
-SSLCertificateKeyFile /etc/httpd/privkey.pem
-
-<Directory /var/www/html/registry>
-Options Indexes FollowSymLinks
-DirectoryIndex index.php
-AllowOverride All
-Require all granted
-</Directory>
+Include apache-include-directory-registry
 
 <Location "/Shibboleth.sso">
 SetHandler shib
@@ -81,6 +60,6 @@ Require shibboleth
 
 RewriteEngine On
 RewriteCond %{QUERY_STRING} !after_redirect
-RewriteRule ^/registry/auth/logout.* https://%%SERVER_NAME%%/Shibboleth.sso/Logout?return=https://%%SERVER_NAME%%/registry/auth/logout/?after_redirect [L,R]
+RewriteRule ^/registry/auth/logout.* https://%{HTTP_HOST}/Shibboleth.sso/Logout?return=https://%{HTTP_HOST}/registry/auth/logout/?after_redirect [L,R]
 
 </VirtualHost>

Dockerfile

@@ -16,73 +16,32 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-FROM centos:centos7 AS php-build
+ARG COMANAGE_REGISTRY_VERSION=3.2.3
+ARG COMANAGE_REGISTRY_BASE_IMAGE_VERSION=3.2.3-20200224-rc1
+ARG COMANAGE_REGISTRY_I2_BASE_IMAGE_VERSION=3.2.3-20200224-rc1
 
-RUN yum -y install epel-release
+FROM tier/comanage-registry-base:${COMANAGE_REGISTRY_VERSION}-${COMANAGE_REGISTRY_BASE_IMAGE_VERSION} AS comanage
 
-RUN yum -y update && yum -y install \
-        autoconf \
-        bison \
-        gcc \
-        httpd-devel \
-        libargon2-devel \
-        libcurl-devel \
-        libedit-devel \
-        libsodium-devel \
-        libxml2-devel \
-        libxslt-devel \
-        make \
-        mariadb-devel \
-        openldap-devel \
-        openssl-devel \
-        postgresql-devel \
-        re2c \
-        wget
-
-WORKDIR /usr/local/src
-
-ARG PHP_VERSION=7.2.5
-ARG PHP_SRC_URL=https://github.com/php/php-src/archive/php-${PHP_VERSION}.tar.gz
-
-RUN mkdir php-src \
-        && wget -O php-src.tar.gz ${PHP_SRC_URL} \
-        && tar zxf php-src.tar.gz -C php-src --strip-components=1 \
-        && rm php-src.tar.gz
-
-ENV PHP_CFLAGS="-fstack-protector-strong -fpic -fpie -O2"
-ENV PHP_CPPFLAGS="$PHP_CFLAGS"
-ENV PHP_LDFLAGS="-Wl,-O1 -Wl,--hash-style=both -pie"
-
-RUN cd php-src \
-        && ./buildconf --force \
-        && ./configure \
-            --disable-cgi \
-            --enable-mbstring \
-            --enable-mysqlnd \
-            --with-apxs2=/usr/bin/apxs \
-            --with-config-file-path=/usr/local/etc/php \
-            --with-config-file-scan-dir=/usr/local/etc/php/conf.d \
-            --with-curl \
-            --with-ldap \
-            --with-libdir=lib64 \
-            --with-libedit \
-            --with-mysqli \
-            --with-openssl \
-            --with-password-argon2 \
-            --with-pdo-mysql \
-            --with-pdo-pgsql \
-            --with-pgsql \
-            --with-sodium \
-            --with-xsl \
-            --with-zlib \
-        && export CFLAGS="$PHP_CFLAGS" \
-        && export CPPFLAGS="$PHP_CPPFLAGS" \
-        && export LDFLAGS="$PHP_LDFLAGS" \
-        && make -j "$(nproc)" \
-        && make install 
+FROM tier/comanage-registry-internet2-tier-base:${COMANAGE_REGISTRY_I2_BASE_IMAGE_VERSION} AS php-build
 
 FROM centos:centos7
 
+ARG COMANAGE_REGISTRY_VERSION
+ENV COMANAGE_REGISTRY_VERSION ${COMANAGE_REGISTRY_VERSION}
+LABEL comanage_registry_version=${COMANAGE_REGISTRY_VERSION}
+
+ARG COMANAGE_REGISTRY_BASE_IMAGE_VERSION
+ENV COMANAGE_REGISTRY_BASE_IMAGE_VERSION ${COMANAGE_REGISTRY_BASE_IMAGE_VERSION}
+LABEL comanage_registry_base_image_version=${COMANAGE_REGISTRY_BASE_IMAGE_VERSION}
+
+ARG COMANAGE_REGISTRY_I2_BASE_IMAGE_VERSION
+ENV COMANAGE_REGISTRY_I2_BASE_IMAGE_VERSION ${COMANAGE_REGISTRY_I2_BASE_IMAGE_VERSION}
+LABEL comanage_registry_i2_base_image_version=${COMANAGE_REGISTRY_I2_BASE_IMAGE_VERSION}
+
+ARG COMANAGE_REGISTRY_DIR
+ENV COMANAGE_REGISTRY_DIR ${COMANAGE_REGISTRY_DIR:-/srv/comanage-registry}
+LABEL comanage_registry_dir=${COMANAGE_REGISTRY_DIR}
+
 RUN yum -y install epel-release
 
 COPY shibboleth.repo /etc/yum.repos.d/
@@ -101,6 +60,7 @@ RUN yum -y update && yum -y install \
         postgresql \
         python-pip \
         shibboleth \
+        sudo \
         wget \
         zlib \
     && pip install --upgrade pip \
@@ -112,28 +72,13 @@ COPY --from=php-build /usr/local/lib/php /usr/local/lib/php/
 COPY --from=php-build /usr/local/include/php /usr/local/include/php/
 COPY --from=php-build /usr/local/bin /usr/local/bin/
 
-ARG COMANAGE_REGISTRY_VERSION=3.1.1
-ARG COMANAGE_REGISTRY_SRC_URL=https://github.com/Internet2/comanage-registry/archive/${COMANAGE_REGISTRY_VERSION}.tar.gz
-ENV COMANAGE_REGISTRY_VERSION ${COMANAGE_REGISTRY_VERSION}
-
-LABEL comanage_registry_version=${COMANAGE_REGISTRY_VERSION}
-LABEL comanage_registry_src_url=${COMANAGE_REGISTRY_SRC_URL}
-
-ENV COMANAGE_REGISTRY_DIR /srv/comanage-registry
-
-WORKDIR "$COMANAGE_REGISTRY_DIR"
-
-RUN mkdir -p "${COMANAGE_REGISTRY_DIR}" \
-        && wget -O comanage.tar.gz ${COMANAGE_REGISTRY_SRC_URL} \
-        && tar -zxf comanage.tar.gz -C ${COMANAGE_REGISTRY_DIR} --strip-components=1 \
-        && rm -f comanage.tar.gz \
-        && rm -f ${COMANAGE_REGISTRY_DIR}/app/tmp \
-        && cp -r ${COMANAGE_REGISTRY_DIR}/app/tmp.dist ${COMANAGE_REGISTRY_DIR}/app/tmp \
-        && chown -R apache:apache ${COMANAGE_REGISTRY_DIR}/app/tmp \
-        && cd /var/www/html \
-        && ln -s ${COMANAGE_REGISTRY_DIR}/app/webroot registry \
-        && rm -rf ${COMANAGE_REGISTRY_DIR}/local/* \
-        && ln -s ${COMANAGE_REGISTRY_DIR}/local /local 
+COPY --from=comanage ${COMANAGE_REGISTRY_DIR} ${COMANAGE_REGISTRY_DIR}/
+COPY --from=comanage /etc/apache2/apache-include-directory-registry /etc/httpd/
+COPY --from=comanage /etc/apache2/apache-include-virtual-host-port443-base /etc/httpd/
+COPY --from=comanage /etc/apache2/apache-include-virtual-host-port80-redirect /etc/httpd/
+COPY --from=comanage /usr/local/lib/comanage_utils.sh /usr/local/lib/
+COPY --from=comanage /usr/local/lib/comanage_shibboleth_sp_utils.sh /usr/local/lib/
+COPY --from=comanage /usr/local/bin/docker-comanage-entrypoint /usr/local/bin/
 
 COPY 000-comanage.conf /etc/httpd/conf.d/
 COPY 10-php7.conf /etc/httpd/conf.modules.d/
@@ -144,6 +89,9 @@ COPY native.logger /etc/shibboleth/
 COPY httpd.conf /etc/httpd/conf/
 COPY sendtierbeacon.sh /usr/local/bin/sendtierbeacon.sh
 COPY setupcron.sh /usr/local/bin/setupcron.sh
+COPY docker-comanage-entrypoint /usr/local/bin/
+COPY docker-comanage-shibboleth-sp-entrypoint /usr/local/bin/
+COPY docker-supervisord-entrypoint /usr/local/bin/
 
 RUN cd /etc/httpd/conf.d \
     && rm -f autoindex.conf ssl.conf userdir.conf welcome.conf \
@@ -152,7 +100,12 @@ RUN cd /etc/httpd/conf.d \
     && ln -s /etc/pki/tls/private/localhost.key privkey.pem \
     && chmod 755 /usr/local/bin/sendtierbeacon.sh \
     && chmod 755 /usr/local/bin/setupcron.sh \
-    && /usr/local/bin/setupcron.sh
+    && /usr/local/bin/setupcron.sh \
+    && cd /var/www/html \
+    && ln -s ${COMANAGE_REGISTRY_DIR}/app/webroot registry \
+    && rm -rf ${COMANAGE_REGISTRY_DIR}/local/* \
+    && chown -R apache:apache ${COMANAGE_REGISTRY_DIR}/app/tmp \
+    && rm -f /etc/shibboleth/shibboleth2.xml
 
 # Allow values for first administrator bootstrapped into the
 # platform to be specified at image build time, in addition to
@@ -169,15 +122,9 @@ ENV COMANAGE_REGISTRY_ADMIN_FAMILY_NAME ${COMANAGE_REGISTRY_ADMIN_FAMILY_NAME:-A
 ENV COMANAGE_REGISTRY_ADMIN_USERNAME ${COMANAGE_REGISTRY_ADMIN_USERNAME:-registry.admin}
 ENV COMANAGE_REGISTRY_ENABLE_POOLING ${COMANAGE_REGISTRY_ENABLE_POOLING:-No}
 
-EXPOSE 80 443
-
-VOLUME ["/srv/comanage-registry/local"]
-
-VOLUME ["/etc/shibboleth"]
+VOLUME ${COMANAGE_REGISTRY_DIR}/local /etc/shibboleth
 
-COPY docker-comanage-entrypoint /usr/local/bin/
-COPY docker-comanage-shibboleth-sp-entrypoint /usr/local/bin/
-COPY docker-supervisord-entrypoint /usr/local/bin/
+EXPOSE 80 443
 
 # TIER Beacon Opt-out
 #
@@ -191,7 +138,7 @@ COPY docker-supervisord-entrypoint /usr/local/bin/
 # following line (to prevent other scripts from processing it).
 #####     ENV TIER_BEACON_OPT_OUT True
 
-ENV TIER_RELEASE=180801
+ENV TIER_RELEASE=180501
 ENV TIER_MAINTAINER=tier
 
 ENTRYPOINT ["docker-supervisord-entrypoint"]

Jenkinsfile

@@ -4,7 +4,7 @@ pipeline {
         maintainer = "t"
         imagename = 'g'
         tag = 'l'
-        version='3.1.1'
+        version='3.2.3'
     }
     stages {
         stage('Setting build context') {
@@ -34,7 +34,7 @@ pipeline {
             steps {
                 script {
                    docker.withRegistry('https://registry.hub.docker.com/',   "dockerhub-$maintainer") {
-                      def baseImg = docker.build("$maintainer/$imagename", "--build-arg COMANAGE_REGISTRY_VERSION=$version .")
+                      def baseImg = docker.build("$maintainer/$imagename", "--no-cache --build-arg COMANAGE_REGISTRY_VERSION=$version .")
                       baseImg.push("$tag")
                    }
                }

common.bash

@@ -1,3 +1,3 @@
 maintainer="tier"
 imagename="comanage"
-COMANAGE_REGISTRY_VERSION="3.1.1"
+COMANAGE_REGISTRY_VERSION="3.2.3"

container_files/cert/InCommon.crt

@@ -0,0 +1,91 @@
+-----BEGIN CERTIFICATE-----
+MIIF+TCCA+GgAwIBAgIQRyDQ+oVGGn4XoWQCkYRjdDANBgkqhkiG9w0BAQwFADCB
+iDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCk5ldyBKZXJzZXkxFDASBgNVBAcTC0pl
+cnNleSBDaXR5MR4wHAYDVQQKExVUaGUgVVNFUlRSVVNUIE5ldHdvcmsxLjAsBgNV
+BAMTJVVTRVJUcnVzdCBSU0EgQ2VydGlmaWNhdGlvbiBBdXRob3JpdHkwHhcNMTQx
+MDA2MDAwMDAwWhcNMjQxMDA1MjM1OTU5WjB2MQswCQYDVQQGEwJVUzELMAkGA1UE
+CBMCTUkxEjAQBgNVBAcTCUFubiBBcmJvcjESMBAGA1UEChMJSW50ZXJuZXQyMREw
+DwYDVQQLEwhJbkNvbW1vbjEfMB0GA1UEAxMWSW5Db21tb24gUlNBIFNlcnZlciBD
+QTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAJwb8bsvf2MYFVFRVA+e
+xU5NEFj6MJsXKZDmMwysE1N8VJG06thum4ltuzM+j9INpun5uukNDBqeso7JcC7v
+HgV9lestjaKpTbOc5/MZNrun8XzmCB5hJ0R6lvSoNNviQsil2zfVtefkQnI/tBPP
+iwckRR6MkYNGuQmm/BijBgLsNI0yZpUn6uGX6Ns1oytW61fo8BBZ321wDGZq0GTl
+qKOYMa0dYtX6kuOaQ80tNfvZnjNbRX3EhigsZhLI2w8ZMA0/6fDqSl5AB8f2IHpT
+eIFken5FahZv9JNYyWL7KSd9oX8hzudPR9aKVuDjZvjs3YncJowZaDuNi+L7RyML
+fzcCAwEAAaOCAW4wggFqMB8GA1UdIwQYMBaAFFN5v1qqK0rPVIDh2JvAnfKyA2bL
+MB0GA1UdDgQWBBQeBaN3j2yW4luHS6a0hqxxAAznODAOBgNVHQ8BAf8EBAMCAYYw
+EgYDVR0TAQH/BAgwBgEB/wIBADAdBgNVHSUEFjAUBggrBgEFBQcDAQYIKwYBBQUH
+AwIwGwYDVR0gBBQwEjAGBgRVHSAAMAgGBmeBDAECAjBQBgNVHR8ESTBHMEWgQ6BB
+hj9odHRwOi8vY3JsLnVzZXJ0cnVzdC5jb20vVVNFUlRydXN0UlNBQ2VydGlmaWNh
+dGlvbkF1dGhvcml0eS5jcmwwdgYIKwYBBQUHAQEEajBoMD8GCCsGAQUFBzAChjNo
+dHRwOi8vY3J0LnVzZXJ0cnVzdC5jb20vVVNFUlRydXN0UlNBQWRkVHJ1c3RDQS5j
+cnQwJQYIKwYBBQUHMAGGGWh0dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZI
+hvcNAQEMBQADggIBAC0RBjjW29dYaK+qOGcXjeIT16MUJNkGE+vrkS/fT2ctyNMU
+11ZlUp5uH5gIjppIG8GLWZqjV5vbhvhZQPwZsHURKsISNrqOcooGTie3jVgU0W+0
++Wj8mN2knCVANt69F2YrA394gbGAdJ5fOrQmL2pIhDY0jqco74fzYefbZ/VS29fR
+5jBxu4uj1P+5ZImem4Gbj1e4ZEzVBhmO55GFfBjRidj26h1oFBHZ7heDH1Bjzw72
+hipu47Gkyfr2NEx3KoCGMLCj3Btx7ASn5Ji8FoU+hCazwOU1VX55mKPU1I2250Lo
+RCASN18JyfsD5PVldJbtyrmz9gn/TKbRXTr80U2q5JhyvjhLf4lOJo/UzL5WCXED
+Smyj4jWG3R7Z8TED9xNNCxGBMXnMete+3PvzdhssvbORDwBZByogQ9xL2LUZFI/i
+eoQp0UM/L8zfP527vWjEzuDN5xwxMnhi+vCToh7J159o5ah29mP+aJnvujbXEnGa
+nrNxHzu+AGOePV8hwrGGG7hOIcPDQwkuYwzN/xT29iLp/cqf9ZhEtkGcQcIImH3b
+oJ8ifsCnSbu0GB9L06Yqh7lcyvKDTEADslIaeSEINxhO2Y1fmcYFX/Fqrrp1WnhH
+OjplXuXE0OPa0utaKC25Aplgom88L2Z8mEWcyfoB7zKOfD759AN7JKZWCYwk
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIFdzCCBF+gAwIBAgIQE+oocFv07O0MNmMJgGFDNjANBgkqhkiG9w0BAQwFADBv
+MQswCQYDVQQGEwJTRTEUMBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFk
+ZFRydXN0IEV4dGVybmFsIFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBF
+eHRlcm5hbCBDQSBSb290MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFow
+gYgxCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpOZXcgSmVyc2V5MRQwEgYDVQQHEwtK
+ZXJzZXkgQ2l0eTEeMBwGA1UEChMVVGhlIFVTRVJUUlVTVCBOZXR3b3JrMS4wLAYD
+VQQDEyVVU0VSVHJ1c3QgUlNBIENlcnRpZmljYXRpb24gQXV0aG9yaXR5MIICIjAN
+BgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAgBJlFzYOw9sIs9CsVw127c0n00yt
+UINh4qogTQktZAnczomfzD2p7PbPwdzx07HWezcoEStH2jnGvDoZtF+mvX2do2NC
+tnbyqTsrkfjib9DsFiCQCT7i6HTJGLSR1GJk23+jBvGIGGqQIjy8/hPwhxR79uQf
+jtTkUcYRZ0YIUcuGFFQ/vDP+fmyc/xadGL1RjjWmp2bIcmfbIWax1Jt4A8BQOujM
+8Ny8nkz+rwWWNR9XWrf/zvk9tyy29lTdyOcSOk2uTIq3XJq0tyA9yn8iNK5+O2hm
+AUTnAU5GU5szYPeUvlM3kHND8zLDU+/bqv50TmnHa4xgk97Exwzf4TKuzJM7UXiV
+Z4vuPVb+DNBpDxsP8yUmazNt925H+nND5X4OpWaxKXwyhGNVicQNwZNUMBkTrNN9
+N6frXTpsNVzbQdcS2qlJC9/YgIoJk2KOtWbPJYjNhLixP6Q5D9kCnusSTJV882sF
+qV4Wg8y4Z+LoE53MW4LTTLPtW//e5XOsIzstAL81VXQJSdhJWBp/kjbmUZIO8yZ9
+HE0XvMnsQybQv0FfQKlERPSZ51eHnlAfV1SoPv10Yy+xUGUJ5lhCLkMaTLTwJUdZ
++gQek9QmRkpQgbLevni3/GcV4clXhB4PY9bpYrrWX1Uu6lzGKAgEJTm4Diup8kyX
+HAc/DVL17e8vgg8CAwEAAaOB9DCB8TAfBgNVHSMEGDAWgBStvZh6NLQm9/rEJlTv
+A73gJMtUGjAdBgNVHQ4EFgQUU3m/WqorSs9UgOHYm8Cd8rIDZsswDgYDVR0PAQH/
+BAQDAgGGMA8GA1UdEwEB/wQFMAMBAf8wEQYDVR0gBAowCDAGBgRVHSAAMEQGA1Ud
+HwQ9MDswOaA3oDWGM2h0dHA6Ly9jcmwudXNlcnRydXN0LmNvbS9BZGRUcnVzdEV4
+dGVybmFsQ0FSb290LmNybDA1BggrBgEFBQcBAQQpMCcwJQYIKwYBBQUHMAGGGWh0
+dHA6Ly9vY3NwLnVzZXJ0cnVzdC5jb20wDQYJKoZIhvcNAQEMBQADggEBAJNl9jeD
+lQ9ew4IcH9Z35zyKwKoJ8OkLJvHgwmp1ocd5yblSYMgpEg7wrQPWCcR23+WmgZWn
+RtqCV6mVksW2jwMibDN3wXsyF24HzloUQToFJBv2FAY7qCUkDrvMKnXduXBBP3zQ
+YzYhBx9G/2CkkeFnvN4ffhkUyWNnkepnB2u0j4vAbkN9w6GAbLIevFOFfdyQoaS8
+Le9Gclc1Bb+7RrtubTeZtv8jkpHGbkD4jylW6l/VXxRTrPBPYer3IsynVgviuDQf
+Jtl7GQVoP7o81DgGotPmjw7jtHFtQELFhLRAlSv0ZaBIefYdgWOWnU914Ph85I6p
+0fKtirOMxyHNwu8=
+-----END CERTIFICATE-----
+-----BEGIN CERTIFICATE-----
+MIIENjCCAx6gAwIBAgIBATANBgkqhkiG9w0BAQUFADBvMQswCQYDVQQGEwJTRTEU
+MBIGA1UEChMLQWRkVHJ1c3QgQUIxJjAkBgNVBAsTHUFkZFRydXN0IEV4dGVybmFs
+IFRUUCBOZXR3b3JrMSIwIAYDVQQDExlBZGRUcnVzdCBFeHRlcm5hbCBDQSBSb290
+MB4XDTAwMDUzMDEwNDgzOFoXDTIwMDUzMDEwNDgzOFowbzELMAkGA1UEBhMCU0Ux
+FDASBgNVBAoTC0FkZFRydXN0IEFCMSYwJAYDVQQLEx1BZGRUcnVzdCBFeHRlcm5h
+bCBUVFAgTmV0d29yazEiMCAGA1UEAxMZQWRkVHJ1c3QgRXh0ZXJuYWwgQ0EgUm9v
+dDCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBALf3GjPm8gAELTngTlvt
+H7xsD821+iO2zt6bETOXpClMfZOfvUq8k+0DGuOPz+VtUFrWlymUWoCwSXrbLpX9
+uMq/NzgtHj6RQa1wVsfwTz/oMp50ysiQVOnGXw94nZpAPA6sYapeFI+eh6FqUNzX
+mk6vBbOmcZSccbNQYArHE504B4YCqOmoaSYYkKtMsE8jqzpPhNjfzp/haW+710LX
+a0Tkx63ubUFfclpxCDezeWWkWaCUN/cALw3CknLa0Dhy2xSoRcRdKn23tNbE7qzN
+E0S3ySvdQwAl+mG5aWpYIxG3pzOPVnVZ9c0p10a3CitlttNCbxWyuHv77+ldU9U0
+WicCAwEAAaOB3DCB2TAdBgNVHQ4EFgQUrb2YejS0Jvf6xCZU7wO94CTLVBowCwYD
+VR0PBAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wgZkGA1UdIwSBkTCBjoAUrb2YejS0
+Jvf6xCZU7wO94CTLVBqhc6RxMG8xCzAJBgNVBAYTAlNFMRQwEgYDVQQKEwtBZGRU
+cnVzdCBBQjEmMCQGA1UECxMdQWRkVHJ1c3QgRXh0ZXJuYWwgVFRQIE5ldHdvcmsx
+IjAgBgNVBAMTGUFkZFRydXN0IEV4dGVybmFsIENBIFJvb3SCAQEwDQYJKoZIhvcN
+AQEFBQADggEBALCb4IUlwtYj4g+WBpKdQZic2YR5gdkeWxQHIzZlj7DYd7usQWxH
+YINRsPkyPef89iYTx4AWpb9a/IfPeHmJIZriTAcKhjW88t5RxNKWt9x+Tu5w/Rw5
+6wwCURQtjr0W4MHfRnXnJK3s9EK0hZNwEGe6nQY1ShjTK3rMUUKhemPR5ruhxSvC
+Nr4TDea9Y355e6cJDUCrat2PisP29owaQgVR1EX1n6diIWgVIEM8med8vSTYqZEX
+c4g/VhsxOBi0cQ+azcgOno4uG+GMmIPLHzHxREzGBHNJdmAPx/i9F4BrLunMTA5a
+mnkPIAou1Z5jJh5VkpTYghdae9C8x49OhgQ=
+-----END CERTIFICATE-----

docker-comanage-entrypoint

@@ -19,332 +19,34 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-if [ -n "$COMANAGE_DEBUG" ]
-then
-    OUTPUT=/dev/stdout
-else
-    OUTPUT=/dev/null
-fi
 
-# Configuration details that may be injected through environment
-# variables or the contents of files.
+source /usr/local/lib/comanage_utils.sh
 
-injectable_config_vars=( 
-    COMANAGE_REGISTRY_DATASOURCE
-    COMANAGE_REGISTRY_DATABASE
-    COMANAGE_REGISTRY_DATABASE_HOST
-    COMANAGE_REGISTRY_DATABASE_USER
-    COMANAGE_REGISTRY_DATABASE_USER_PASSWORD
-    COMANAGE_REGISTRY_EMAIL_FROM
-    COMANAGE_REGISTRY_EMAIL_TRANSPORT
-    COMANAGE_REGISTRY_EMAIL_HOST
-    COMANAGE_REGISTRY_EMAIL_PORT
-    COMANAGE_REGISTRY_EMAIL_ACCOUNT
-    COMANAGE_REGISTRY_EMAIL_ACCOUNT_PASSWORD
-    COMANAGE_REGISTRY_SECURITY_SALT
-    COMANAGE_REGISTRY_SECURITY_SEED
-    ENV
-    HTTPS_CERT_FILE
-    HTTPS_PRIVKEY_FILE
-    SERVER_NAME
-    USERTOKEN
-)
+comanage_utils::consume_injected_environment
 
-# If the file associated with a configuration variable is present then 
-# read the value from it into the appropriate variable. So for example
-# if the variable COMANAGE_REGISTRY_DATASOURCE_FILE exists and its
-# value points to a file on the file system then read the contents
-# of that file into the variable COMANAGE_REGISTRY_DATASOURCE.
+comanage_utils::prepare_local_directory
 
-for config_var in "${injectable_config_vars[@]}"
-do
-    eval file_name=\$"${config_var}_FILE";
+comanage_utils::configure_tier_logging
 
-    if [ -e "$file_name" ]; then
-        declare "${config_var}"=`cat $file_name`
-    fi
-done
+comanage_utils::prepare_database_config
 
-# Make sure the directory structure we need is available
-# in the data volume for $COMANAGE_REGISTRY_DIR/local
-mkdir -p "$COMANAGE_REGISTRY_DIR/local/Config"
-mkdir -p "$COMANAGE_REGISTRY_DIR/local/Plugin"
-mkdir -p "$COMANAGE_REGISTRY_DIR/local/View/Pages/public"
-mkdir -p "$COMANAGE_REGISTRY_DIR/local/webroot/img"
+comanage_utils::prepare_email_config
 
-# If the COmanage Registry database configuration file does not exist
-# then try to create it from injected information with reasonable defaults
-# that aid simple evaluation deployments.
-if [ ! -e "$COMANAGE_REGISTRY_DIR/local/Config/database.php" ]; then
-    cat > "$COMANAGE_REGISTRY_DIR/local/Config/database.php" <<EOF
-<?php
+comanage_utils::prepare_https_cert_key
 
-class DATABASE_CONFIG {
+comanage_utils::prepare_server_name
 
-  public \$default = array(
-    'datasource' => '${COMANAGE_REGISTRY_DATASOURCE:-Database/Mysql}',
-    'persistent' => false,
-    'host' => '${COMANAGE_REGISTRY_DATABASE_HOST:-comanage-registry-database}',
-    'login' => '${COMANAGE_REGISTRY_DATABASE_USER:-registry_user}',
-    'password' => '${COMANAGE_REGISTRY_DATABASE_USER_PASSWORD:-password}',
-    'database' => '${COMANAGE_REGISTRY_DATABASE:-registry}',
-    'prefix' => 'cm_',
-  );
+comanage_utils::wait_database_connectivity
 
-}
-EOF
-fi
+comanage_utils::registry_setup
 
-# If the COmanage Registry email configuration file does not exist
-# then try to create it from injected information with reasonable defaults
-# that aid simple evaluation deployments.
-email_config="$COMANAGE_REGISTRY_DIR/local/Config/email.php"
+comanage_utils::registry_upgrade
 
-if [ ! -e "$email_config" ]; then
-    # If the deployer has injected an email for from then use it,
-    # otherwise set a default purely as a template that can edited
-    # easier later.
-    if [ -n "$COMANAGE_REGISTRY_EMAIL_FROM" ]; then
-        email_from="$COMANAGE_REGISTRY_EMAIL_FROM"
-    else
-        email_from="array('account@gmail.com' => 'Registry')"
-    fi
+comanage_utils::enable_plugins
 
-    # If the injected email from does not include a single quote (')
-    # then add them to make it a PHP string.
-    if [[ ! $email_from =~ .*"'".* ]]; then
-        email_from="'$email_from'"
-    fi
+comanage_utils::registry_clear_cache
 
-    cat > "$email_config" <<EOF
-<?php
-
-class EmailConfig {
-
-  public \$default = array(
-    'from' => $email_from,
-    'transport' => '${COMANAGE_REGISTRY_EMAIL_TRANSPORT:-Smtp}',
-    'host' => '${COMANAGE_REGISTRY_EMAIL_HOST:-tls://smtp.gmail.com}',
-    'port' => ${COMANAGE_REGISTRY_EMAIL_PORT:-465},
-EOF
-
-    # If the deployer has injected a username then add it to the configuration.
-    if [ -n "$COMANAGE_REGISTRY_EMAIL_ACCOUNT" ]; then
-       cat >> "$email_config" <<EOF
-    'username' => '$COMANAGE_REGISTRY_EMAIL_ACCOUNT',
-EOF
-    fi
-
-    # If the deployer has injected a password then add it to the configuration.
-    if [ -n "$COMANAGE_REGISTRY_EMAIL_ACCOUNT_PASSWORD" ]; then
-        cat >> "$email_config" <<EOF
-    'password' => '$COMANAGE_REGISTRY_EMAIL_ACCOUNT_PASSWORD',
-EOF
-    fi
-
-    # Complete the PHP array.
-    cat >> "$email_config" <<EOF
-  );
-}
-EOF
-
-fi
-
-# Loop until we are able to open a connection to the database.
-DATABASE_TEST_SCRIPT="$COMANAGE_REGISTRY_DIR/app/Console/Command/DatabaseTestShell.php"
-
-cat > $DATABASE_TEST_SCRIPT <<"EOF"
-<?php
-
-App::import('Model', 'ConnectionManager');
-
-class DatabaseTestShell extends AppShell {
-  function main() {
-    try {
-      $db = ConnectionManager::getDataSource('default');
-    } catch (Exception $e) {
-      $this->error("Unable to connect to datasource");
-    }
-    $this->out("Connected to datasource");
-  }
-}
-EOF
-
-pushd "$COMANAGE_REGISTRY_DIR/app" > "$OUTPUT" 2>&1
-
-until ./Console/cake databaseTest > "$OUTPUT" 2>&1; do
-    >&2 echo "Database is unavailable - sleeping"
-    sleep 1
-done
-
-rm -f "$DATABASE_TEST_SCRIPT"
-
-popd > "$OUTPUT" 2>&1
-
-# We only want to run the setup script once since it creates
-# state in the database. Until COmanage Registry has a better
-# mechanism for telling us if setup has already been run
-# we create an ephemeral CakePHP script to tell us.
-SETUP_ALREADY_SCRIPT="$COMANAGE_REGISTRY_DIR/app/Console/Command/SetupAlreadyShell.php"
-
-cat > $SETUP_ALREADY_SCRIPT <<"EOF"
-<?php
-
-class SetupAlreadyShell extends AppShell {
-  var $uses = array('Co');
-
-  function main() {
-    $args = array();
-    $args['conditions']['Co.name'] = 'COmanage';
-    $args['contain'] = false;
-
-    try {
-      $co = $this->Co->find('first', $args);
-    } catch (CakeException $e) {
-      $this->out('Not setup already');
-    }
-
-    if(empty($co)) {
-      $this->out('Not setup already');
-    } else {
-      $this->error('Setup already');
-    }
-  }
-}
-EOF
-
-pushd "$COMANAGE_REGISTRY_DIR/app" > "$OUTPUT" 2>&1
-./Console/cake setupAlready > "$OUTPUT" 2>&1
-setup_already=$?
-
-rm -f "$SETUP_ALREADY_SCRIPT"
-
-if [ $setup_already -eq 0 ]; then
-    rm -f "$COMANAGE_REGISTRY_DIR/local/Config/security.salt" > "$OUTPUT" 2>&1
-    rm -f "$COMANAGE_REGISTRY_DIR/local/Config/security.seed" > "$OUTPUT" 2>&1
-    # Run database twice until issue on develop branch is resolved. Since
-    # the command is idempotent normally it is not a problem to have it run
-    # more than once.
-    ./Console/cake database > "$OUTPUT" 2>&1 && \
-    ./Console/cake database > "$OUTPUT" 2>&1 && \
-    ./Console/cake setup --admin-given-name "${COMANAGE_REGISTRY_ADMIN_GIVEN_NAME}" \
-                         --admin-family-name "${COMANAGE_REGISTRY_ADMIN_FAMILY_NAME}" \
-                         --admin-username "${COMANAGE_REGISTRY_ADMIN_USERNAME}" \
-                         --enable-pooling "${COMANAGE_REGISTRY_ENABLE_POOLING}" > "$OUTPUT" 2>&1
-    AUTO_GENERATED_SECURITY=1
-fi
-
-popd > "$OUTPUT" 2>&1
-
-# If COmanage Registry CakePHP security salt and seed have been
-# injected and the files do not otherwise exist create them.
-if [[ -n "$COMANAGE_REGISTRY_SECURITY_SALT" && ( -n "$AUTO_GENERATED_SECURITY" || ! -e "$COMANAGE_REGISTRY_DIR/local/Config/security.salt" ) ]]; then
-    echo "$COMANAGE_REGISTRY_SECURITY_SALT" > "$COMANAGE_REGISTRY_DIR/local/Config/security.salt"
-fi
-
-if [[ -n "$COMANAGE_REGISTRY_SECURITY_SEED" && ( -n "$AUTO_GENERATED_SECURITY" || ! -e "$COMANAGE_REGISTRY_DIR/local/Config/security.seed" ) ]]; then
-    echo "$COMANAGE_REGISTRY_SECURITY_SEED" > "$COMANAGE_REGISTRY_DIR/local/Config/security.seed"
-fi
-
-# We always run upgradeVersion since it will not make any changes
-# if the current and target versions are the same or if
-# an upgrade from the current to the target version is not allowed.
-pushd "$COMANAGE_REGISTRY_DIR/app" > "$OUTPUT" 2>&1
-
-./Console/cake upgradeVersion "${COMANAGE_REGISTRY_UPGRADE_VERSION_OPTS}" > "$OUTPUT" 2>&1
-
-popd > "$OUTPUT" 2>&1
-
-# Force a datbase update if requested. This is helpful when deploying
-# a new version of the code that does not result in a change in the
-# version number and so upgradeVersion does not fire. An example
-# of this scenario is when new code is introduced in the develop
-# branch but before a release happens.
-if [ -n "$COMANAGE_REGISTRY_DATABASE_SCHEMA_FORCE" ]; then
-    echo "Forcing a database schema update..." > "$OUTPUT" 2>&1
-    pushd "$COMANAGE_REGISTRY_DIR/app" > "$OUTPUT" 2>&1
-    ./Console/cake database > "$OUTPUT" 2>&1
-    popd > "$OUTPUT" 2>&1
-fi
-
-# Enable any supported non-core plugins if requested.
-if [ -n "$COMANAGE_REGISTRY_ENABLE_PLUGIN" ]; then
-    plugins=(`echo "$COMANAGE_REGISTRY_ENABLE_PLUGIN" | sed -e 's@,@ @'`) > "$OUTPUT" 2>&1
-    for plugin in "${plugins[@]}"; 
-    do 
-        echo "Enabling available plugin $plugin..." > "$OUTPUT" 2>&1
-        pushd "$COMANAGE_REGISTRY_DIR/local/Plugin" > "$OUTPUT" 2>&1
-        ln -s "../../app/AvailablePlugin/$plugin" "$plugin" > "$OUTPUT" 2>&1
-        popd > "$OUTPUT" 2>&1
-        pushd "$COMANAGE_REGISTRY_DIR/app" > "$OUTPUT" 2>&1
-        ./Console/cake database > "$OUTPUT" 2>&1
-        popd > "$OUTPUT" 2>&1
-    done
-fi
-
-# Remove any cache files generated thus far.
-find "$COMANAGE_REGISTRY_DIR/app/tmp/cache" -type f -exec rm -f {} \;
-
-# If defined use configured location of Apache HTTP Server 
-# HTTPS certificate and key files. The certificate file may also
-# include intermediate CA certificates, sorted from leaf to root.
-if [ -n "$HTTPS_CERT_FILE" ]; then
-    rm -f /etc/httpd/cert.pem
-    cp "$HTTPS_CERT_FILE" /etc/httpd/cert.pem
-    chown apache /etc/httpd/cert.pem
-    chmod 0644 /etc/httpd/cert.pem
-fi
-
-if [ -n "$HTTPS_PRIVKEY_FILE" ]; then
-    rm -f /etc/httpd/privkey.pem
-    cp "$HTTPS_PRIVKEY_FILE" /etc/httpd/privkey.pem
-    chown apache /etc/httpd/privkey.pem
-    chmod 0600 /etc/httpd/privkey.pem
-fi
-
-# If SERVER_NAME has not been injected try to determine
-# it from the HTTPS_CERT_FILE.
-if [ -z "$SERVER_NAME" ]; then
-    SERVER_NAME=`openssl x509 -in /etc/httpd/cert.pem -text -noout | sed -n '/X509v3 Subject Alternative Name:/ {n;p}' | sed -E 's/.*DNS:(.*)\s*$/\1/'`
-    if [ -z "$SERVER_NAME" ]; then
-        SERVER_NAME=`openssl x509 -in /etc/httpd/cert.pem -subject -noout | sed -E 's/subject=.*CN=(.*)\s*/\1/'`
-    fi
-fi
-
-# Configure Apache HTTP Server with the server name.
-sed -i -e s@%%SERVER_NAME%%@"${SERVER_NAME:-unknown}"@g /etc/httpd/conf.d/000-comanage.conf
-
-# If ENV or USERTOKEN as injected by the deployer contain a semi-colon remove it.
-if [[ $ENV =~ .*";".* ]]; then
-    ENV=`echo $ENV | tr -d ';'`
-    export ENV
-fi
-
-if [[ $USERTOKEN =~ .*";".* ]]; then
-    USERTOKEN=`echo $USERTOKEN | tr -d ';'`
-    export USERTOKEN
-fi
-
-# If ENV or USERTOKEN as injected by the deployer contain a space remove it.
-if [[ $ENV =~ [[:space:]] ]]; then
-    ENV=`echo $ENV | tr -d [:space:]`
-    export ENV
-fi
-
-if [[ $USERTOKEN =~ [[:space:]] ]]; then
-    USERTOKEN=`echo $USERTOKEN | tr -d [:space:]`
-    export USERTOKEN
-fi
-
-# Create pipes to use for COmanage Registry instead of standard log files.
-rm -f "$COMANAGE_REGISTRY_DIR/app/tmp/logs/error.log" > "$OUTPUT" 2>&1
-rm -f "$COMANAGE_REGISTRY_DIR/app/tmp/logs/debug.log" > "$OUTPUT" 2>&1
-mkfifo -m 666 "$COMANAGE_REGISTRY_DIR/app/tmp/logs/error.log" > "$OUTPUT" 2>&1
-mkfifo -m 666 "$COMANAGE_REGISTRY_DIR/app/tmp/logs/debug.log" > "$OUTPUT" 2>&1
-
-# Format any output from COmanange Registry into standard TIER form.
-(cat <> "$COMANAGE_REGISTRY_DIR/app/tmp/logs/error.log" | awk -v ENV="$ENV" -v UT="$USERTOKEN" '{printf "comanage_registry;error.log;%s;%s;%s\n", ENV, UT, $0; fflush()}' 1>/tmp/logpipe)&
-(cat <> "$COMANAGE_REGISTRY_DIR/app/tmp/logs/debug.log" | awk -v ENV="$ENV" -v UT="$USERTOKEN" '{printf "comanage_registry;debug.log;%s;%s;%s\n", ENV, UT, $0; fflush()}' 1>/tmp/logpipe)&
+comanage_utils::tmp_ownership
 
 # Start Apache HTTP Server
 exec /usr/sbin/httpd -DFOREGROUND

docker-comanage-shibboleth-sp-entrypoint

@@ -19,109 +19,10 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-if [ -n "$COMANAGE_DEBUG" ]
-then
-    OUTPUT=/dev/stdout
-else
-    OUTPUT=/dev/null
-fi
+source /usr/local/lib/comanage_utils.sh
 
-# Configuration details that may be injected through environment
-# variables or the contents of files.
-#
-# SHIBBOLETH_SP_METADATA_PROVIDER_XML may also be injected in the
-# same way but because of the presence of special characters in the
-# XML it is handled differently.
-
-injectable_config_vars=( 
-    SHIBBOLETH_SP_ENTITY_ID
-    SHIBBOLETH_SP_CERT
-    SHIBBOLETH_SP_PRIVKEY
-    SHIBBOLETH_SP_SAMLDS_URL
-)
-
-# If the file associated with a configuration variable is present then 
-# read the value from it into the appropriate variable. So for example
-# if the variable COMANAGE_REGISTRY_DATASOURCE_FILE exists and its
-# value points to a file on the file system then read the contents
-# of that file into the variable COMANAGE_REGISTRY_DATASOURCE.
-
-for config_var in "${injectable_config_vars[@]}"
-do
-    eval file_name=\$"${config_var}_FILE";
-
-    if [ -e "$file_name" ]; then
-        payload=`cat $file_name`
-        declare "${config_var}"="${payload}"
-    fi
-done
-
-# If no shibboleth2.xml file is present then create one using 
-# injected information or defaults that are not particularly
-# useful in a federated context but will allow shibd to start.
-if [ ! -e /etc/shibboleth/shibboleth2.xml ]; then
-    cp /etc/shibboleth/shibboleth2.xml.template /etc/shibboleth/shibboleth2.xml
-    sed -i -e s@%%SHIBBOLETH_SP_ENTITY_ID%%@"${SHIBBOLETH_SP_ENTITY_ID:-https://comanage.registry/shibboleth}"@ /etc/shibboleth/shibboleth2.xml
-    sed -i -e s@%%SHIBBOLETH_SP_SAMLDS_URL%%@"${SHIBBOLETH_SP_SAMLDS_URL:-https://localhost/registry/pages/eds/index}"@ /etc/shibboleth/shibboleth2.xml
-
-    # The metadata provider injected input most likely contains special characters
-    # so use a sed script instead of simple substitution on the command line.
-
-    if [ -n "$SHIBBOLETH_SP_METADATA_PROVIDER_XML_FILE" ]; then
-        xml_content_file="$SHIBBOLETH_SP_METADATA_PROVIDER_XML_FILE"
-    else
-        xml_content_file=`/bin/mktemp`
-        echo ${SHIBBOLETH_SP_METADATA_PROVIDER_XML:-} > ${xml_content_file}
-    fi
-
-    sed_script_file=`/bin/mktemp`
-    cat > ${sed_script_file}<<EOF
-/%%SHIBBOLETH_SP_METADATA_PROVIDER_XML%%/ {
-    r ${xml_content_file}
-    d
-}
-EOF
-
-    sed -i -f ${sed_script_file} /etc/shibboleth/shibboleth2.xml
-
-    chmod 0644 /etc/shibboleth/shibboleth2.xml
-fi
-
-# If defined use configured location of Shibboleth SP SAML certificate and key.
-if [ -n "$SHIBBOLETH_SP_CERT" ]; then
-    cp "$SHIBBOLETH_SP_CERT" /etc/shibboleth/sp-cert.pem
-    chown shibd /etc/shibboleth/sp-cert.pem
-    chmod 0644 /etc/shibboleth/sp-cert.pem
-fi
-
-if [ -n "$SHIBBOLETH_SP_PRIVKEY" ]; then
-    cp "$SHIBBOLETH_SP_PRIVKEY" /etc/shibboleth/sp-key.pem
-    chown shibd /etc/shibboleth/sp-key.pem
-    chmod 0600 /etc/shibboleth/sp-key.pem
-fi
-
-# If ENV or USERTOKEN as injected by the deployer contain a semi-colon remove it.
-if [[ $ENV =~ .*";".* ]]; then
-    ENV=`echo $ENV | tr -d ';'`
-    export ENV
-fi
-
-if [[ $USERTOKEN =~ .*";".* ]]; then
-    USERTOKEN=`echo $USERTOKEN | tr -d ';'`
-    export USERTOKEN
-fi
-
-# If ENV or USERTOKEN as injected by the deployer contain a space remove it.
-if [[ $ENV =~ [[:space:]] ]]; then
-    ENV=`echo $ENV | tr -d [:space:]`
-    export ENV
-fi
+source /usr/local/lib/comanage_shibboleth_sp_utils.sh
 
-if [[ $USERTOKEN =~ [[:space:]] ]]; then
-    USERTOKEN=`echo $USERTOKEN | tr -d [:space:]`
-    export USERTOKEN
-fi
+comanage_utils::manage_tier_environment
 
-# Start the daemon.
-export LD_LIBRARY_PATH=/opt/shibboleth/lib64
-exec /usr/sbin/shibd -f -u shibd -g shibd -c /etc/shibboleth/shibboleth2.xml -p /var/run/shibboleth/shibd.pid -F
+comanage_shibboleth_sp_utils::exec_shibboleth_sp_daemon

docker-supervisord-entrypoint

@@ -19,34 +19,9 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-if [ -n "$DEBUG" ]
-then
-    OUTPUT=/dev/stdout
-else
-    OUTPUT=/dev/null
-fi
+source /usr/local/lib/comanage_utils.sh
 
-# If ENV or USERTOKEN as injected by the deployer contain a semi-colon remove it.
-if [[ $ENV =~ .*";".* ]]; then
-    ENV=`echo $ENV | tr -d ';'`
-    export ENV
-fi
-
-if [[ $USERTOKEN =~ .*";".* ]]; then
-    USERTOKEN=`echo $USERTOKEN | tr -d ';'`
-    export USERTOKEN
-fi
-
-# If ENV or USERTOKEN as injected by the deployer contain a space remove it.
-if [[ $ENV =~ [[:space:]] ]]; then
-    ENV=`echo $ENV | tr -d [:space:]`
-    export ENV
-fi
-
-if [[ $USERTOKEN =~ [[:space:]] ]]; then
-    USERTOKEN=`echo $USERTOKEN | tr -d [:space:]`
-    export USERTOKEN
-fi
+comanage_utils::manage_tier_environment
 
 # Make a "console" logging pipe that anyone can write to regardless of who owns the process.
 rm -f /tmp/logpipe > "$OUTPUT" 2>&1
@@ -61,7 +36,7 @@ mkfifo -m 666 /tmp/loghttpd > "$OUTPUT" 2>&1
 # Format any console output from shibd into standard TIER form.
 rm -f /tmp/logshibd > "$OUTPUT" 2>&1
 mkfifo -m 666 /tmp/logshibd > "$OUTPUT" 2>&1
-(cat <> /tmp/logshibd | awk -v ENV="$ENV" -v UT="$USERTOKEN" '{printf "httpd;console;%s;%s;%s\n", ENV, UT, $0; fflush()}' 1>/tmp/logpipe 2>&1)&
+(cat <> /tmp/logshibd | awk -v ENV="$ENV" -v UT="$USERTOKEN" '{printf "shibd;console;%s;%s;%s\n", ENV, UT, $0; fflush()}' 1>/tmp/logpipe 2>&1)&
 
 # Format any console output from supervisord into standard TIER form.
 rm -f /tmp/logsuperd > "$OUTPUT" 2>&1

sendtierbeacon.sh

@@ -19,13 +19,13 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-LOGHOST="collector.testbed.tier.internet2.edu"
-LOGPORT="5001"
+LOGHOST='collector.testbed.tier.internet2.edu'
+LOGPORT='5001'
 
-messagefile="/tmp/beaconmsg"
+messagefile='/tmp/beaconmsg'
 
-if [ -z "$TIER_BEACON_OPT_OUT" ]; then
-    cat > $messagefile <<EOF
+if [[ -z "${TIER_BEACON_OPT_OUT}" ]]; then
+    cat > ${messagefile} <<EOF
 {
     "msgType"          : "TIERBEACON",
     "msgName"          : "TIER",
@@ -37,13 +37,13 @@ if [ -z "$TIER_BEACON_OPT_OUT" ]; then
 }
 EOF
 
-    curl -s -XPOST "${LOGHOST}:${LOGPORT}/" -H 'Content-Type: application/json' -T $messagefile 1>/dev/null 2>&1
-    if [ $? -eq 0 ]; then
+    curl -s -XPOST "${LOGHOST}:${LOGPORT}/" -H 'Content-Type: application/json' -T ${messagefile} 1>/dev/null 2>&1
+    if [[ $? -eq 0 ]]; then
         echo "tier_beacon;none;$ENV;$USERTOKEN;"`date`"; TIER beacon sent"
     else
         echo "tier_beacon;none;$ENV;$USERTOKEN;"`date`"; Failed to send TIER beacon"
     fi
 
-    rm -f $messagefile 1>/dev/null 2>&1
+    rm -f ${messagefile} 1>/dev/null 2>&1
 
 fi

setupcron.sh

@@ -19,11 +19,11 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-CRONFILE=/tmp/cronfile
+CRONFILE='/tmp/cronfile'
 
 # Build and install crontab file with random start time
 # between midnight and 3:59am.
-echo "#send daily beacon to TIER Central" > ${CRONFILE}
-echo $(expr $RANDOM % 59) $(expr $RANDOM % 3) "* * * /usr/local/bin/sendtierbeacon.sh >> /tmp/logpipe 2>&1" >> ${CRONFILE}
-chmod 644 ${CRONFILE}
-crontab ${CRONFILE}
+echo '#send daily beacon to TIER Central' > "${CRONFILE}"
+echo $(expr $RANDOM % 59) $(expr $RANDOM % 3) "* * * /usr/local/bin/sendtierbeacon.sh >> /tmp/logpipe 2>&1" >> "${CRONFILE}"
+chmod 644 "${CRONFILE}"
+crontab "${CRONFILE}"

shibboleth.repo

@@ -1,7 +1,8 @@
-[security_shibboleth]
+[shibboleth]
 name=Shibboleth (CentOS_7)
+# Please report any problems to https://issues.shibboleth.net
 type=rpm-md
-baseurl=http://downloadcontent.opensuse.org/repositories/security:/shibboleth/CentOS_7/
+mirrorlist=https://shibboleth.net/cgi-bin/mirrorlist.cgi/CentOS_7
 gpgcheck=1
-gpgkey=http://downloadcontent.opensuse.org/repositories/security:/shibboleth/CentOS_7/repodata/repomd.xml.key
+gpgkey=https://shibboleth.net/downloads/service-provider/RPMS/repomd.xml.key
 enabled=1