Permalink
Name already in use
A tag already exists with the provided branch name. Many Git commands accept both tag and branch names, so creating this branch may cause unexpected behavior. Are you sure you want to create this branch?
ShibbIdP_ConfigBuilder_Container/configBuilder.sh
Go to fileThis commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
executable file
520 lines (445 sloc)
16.4 KB
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| echo "" | |
| echo "" | |
| #temp for container version | |
| cd /scriptrun | |
| # script config items | |
| #SHB_CFG_URL=https://github.internet2.edu/docker/shib-idp-conftree/archive/4.1-InCommon.zip | |
| SHB_CFG_URL=https://github.internet2.edu/docker/shib-idp-conftree/archive/refs/heads/5.0-InCommon.zip | |
| #TOM_CFG_URL=https://github.internet2.edu/docker/shib-idp-tomcat-config/archive/master.zip | |
| TOM_CFG_URL=https://github.internet2.edu/docker/shib-idp-tomcat-config/archive/refs/heads/tomcat10-1.zip | |
| TMP_DIR_S=/tmp/5.0-InCommon | |
| TMP_DIR_T=/tmp/tomcfg | |
| TMP_DIR_D=/tmp/buildfiles | |
| # default directories | |
| TOMCFG=config/tomcat | |
| TOMCERT=credentials/tomcat | |
| TOMWWWROOT=wwwroot | |
| SHBCFG=config/shib-idp/conf | |
| SHBCREDS=credentials/shib-idp | |
| SHBVIEWS=config/shib-idp/views | |
| SHBEDWAPP=config/shib-idp/edit-webapp | |
| SHBMSGS=config/shib-idp/messages | |
| SHBMD=config/shib-idp/metadata | |
| # logs | |
| LOGFILE=${PWD}/setup.log | |
| # script variables (do not edit) | |
| ORACLE_JAVA_APPROVAL=None | |
| FQDN=None | |
| SCOPE=None | |
| LDAPURL=None | |
| LDAPBASEDN=None | |
| LDAPDN=None | |
| LDAPPWD=None | |
| SEALERPWD=None | |
| TIER_TESTBED=None | |
| BURNMOUNT=None | |
| USESECRETS=None | |
| ################################## | |
| ### ensure directory structure ### | |
| ################################## | |
| mkdir -p config/tomcat | |
| mkdir -p credentials/tomcat | |
| mkdir -p wwwroot | |
| mkdir -p config/shib-idp/views | |
| mkdir -p config/shib-idp/messages | |
| mkdir -p config/shib-idp/edit-webapp | |
| mkdir -p config/shib-idp/flows | |
| mkdir -p config/shib-idp/conf | |
| mkdir -p config/shib-idp/conf/authn | |
| mkdir -p config/shib-idp/conf/attributes | |
| mkdir -p config/shib-idp/conf/intercept | |
| mkdir -p credentials/shib-idp | |
| mkdir -p config/shib-idp/metadata | |
| ############################################################## | |
| ### download default/TIER config for both shibb and tomcat ### | |
| ############################################################## | |
| # | |
| echo "Downloading TIER default configs" | |
| curl -kLo ${TMP_DIR_S}.zip ${SHB_CFG_URL} > /dev/null | |
| curl -kLo ${TMP_DIR_T}.zip ${TOM_CFG_URL} > /dev/null | |
| ###################### | |
| ### expand to /tmp ### | |
| ###################### | |
| unzip -o -d ${TMP_DIR_S} ${TMP_DIR_S}.zip > /dev/null 2>&1 | |
| unzip -o -d ${TMP_DIR_T} ${TMP_DIR_T}.zip > /dev/null 2>&1 | |
| ################################################################################ | |
| ### cp relevant folders from expanded zip to appropriate locations at $PWD/* ### | |
| ################################################################################ | |
| # | |
| cp -rf ${TMP_DIR_S}/shib-idp-conftree-5.0-InCommon/conf/idp.properties ${SHBCFG} | |
| cp -rf ${TMP_DIR_S}/shib-idp-conftree-5.0-InCommon/conf/ldap.properties ${SHBCFG} | |
| cp -rf ${TMP_DIR_S}/shib-idp-conftree-5.0-InCommon/conf/metadata-providers.xml ${SHBCFG} | |
| cp -rf ${TMP_DIR_S}/shib-idp-conftree-5.0-InCommon/conf/attribute-resolver.xml ${SHBCFG} | |
| cp -rf ${TMP_DIR_S}/shib-idp-conftree-5.0-InCommon/conf/attribute-filter.xml ${SHBCFG} | |
| cp -rf ${TMP_DIR_S}/shib-idp-conftree-5.0-InCommon/conf/logback.xml ${SHBCFG} | |
| cp -rf ${TMP_DIR_S}/shib-idp-conftree-5.0-InCommon/views/* ${SHBVIEWS} | |
| cp -rf ${TMP_DIR_S}/shib-idp-conftree-5.0-InCommon/credentials/inc-md-cert-mdq.pem ${SHBCREDS} | |
| cp -rf ${TMP_DIR_S}/shib-idp-conftree-5.0-InCommon/credentials/sealer.kver ${SHBCREDS} | |
| cp -rf ${TMP_DIR_T}/shib-idp-tomcat-config-tomcat10-1/conf/* ${TOMCFG} | |
| cp -rf ${TMP_DIR_T}/shib-idp-tomcat-config-tomcat10-1/wwwroot/* ${TOMWWWROOT} | |
| ##################################################### | |
| ### ask setup questions to aid in config building ### | |
| ##################################################### | |
| # | |
| # Get the FQDN of the server | |
| # | |
| echo "" | |
| echo "" | |
| echo "Please supply the Fully Qualified Domain Name (FQDN) of your Shibboleth IdP." | |
| echo "We will use the information you enter here to configure your IdP." | |
| echo "Note: for testing without DNS support (a common case), simply enter" | |
| echo " the IPv4 address of your VM at the prompt below" | |
| echo "" | |
| while [ ${FQDN} == "None" ]; do | |
| echo -n "Enter the FQDN or IP address of your server: " | |
| read response | |
| if [ ${#response} -lt 8 ]; then | |
| echo "Remember, you need a FQDN or IP address" | |
| continue | |
| fi | |
| echo -n "You entered: ${response} Is this correct [Yes/No]? " | |
| read yesno | |
| case $yesno in | |
| Yes|yes|Y|y) | |
| FQDN=$response | |
| ;; | |
| esac | |
| done | |
| #echo "FQDN is: $FQDN" | |
| # | |
| # Get the Scope used for this IdP | |
| # | |
| echo "" | |
| echo "" | |
| echo "Please supply the correct scope for this IdP." | |
| echo "This is typically your base domain: domain.edu" | |
| echo "Enter your IP address if you are just testing." | |
| echo "" | |
| echo "We will use the information you enter here to configure your IdP." | |
| echo "" | |
| while [ ${SCOPE} == "None" ]; do | |
| echo -n "Enter the Scope for your IdP [`expr "$FQDN" | cut -f2- -d.`]: " | |
| read response | |
| TMPSCOPE=${response:-`expr "$FQDN" | cut -f2- -d.`} | |
| if [ ${#TMPSCOPE} -lt 5 ]; then | |
| echo "Remember, you need domain - domain.edu or similar" | |
| continue | |
| fi | |
| echo -n "You entered: ${TMPSCOPE} Is this correct [Yes/No]? " | |
| read yesno | |
| case $yesno in | |
| Yes|yes|Y|y) | |
| SCOPE=$TMPSCOPE | |
| ;; | |
| esac | |
| done | |
| #echo "Scope is: $SCOPE" | |
| # | |
| # Get the LDAP URL for this deployment | |
| # | |
| echo "" | |
| echo "" | |
| echo "Please supply the full LDAP URL for your backend authentication and/or " | |
| echo "attribute store used by your Shibboleth IdP. (e.g. ldap://myldap.domain.edu)" | |
| echo "We will use the information you enter here to configure your IdP." | |
| echo "" | |
| while [ ${LDAPURL} == "None" ]; do | |
| echo -n "Enter the LDAP URL used for your IdP: " | |
| read response | |
| if [ ${#response} -lt 10 ]; then | |
| echo "Remember, you need a full LDAP URL (starts with ldap:// or ldaps://)" | |
| continue | |
| fi | |
| echo -n "You entered: ${response} Is this correct [Yes/No]? " | |
| read yesno | |
| case $yesno in | |
| Yes|yes|Y|y) | |
| LDAPURL=$response | |
| ;; | |
| esac | |
| done | |
| #echo "LDAP URL is: $LDAPURL" | |
| # | |
| # Get the LDAP BaseDN for this deployment | |
| # | |
| echo "" | |
| echo "" | |
| echo "Please supply the LDAP Base DN for your LDAP Server " | |
| echo " (e.g. ou=people,dc=example,dc=org)." | |
| echo "We will use the information you enter here to configure your IdP." | |
| echo "" | |
| while [ ${LDAPBASEDN} == "None" ]; do | |
| echo -n "Enter the LDAP Base DN used for your LDAP Server: " | |
| read response | |
| if [ ${#response} -lt 10 ]; then | |
| echo "Remember, you need the full LDAP Base DN." | |
| continue | |
| fi | |
| echo -n "You entered: ${response} Is this correct [Yes/No]? " | |
| read yesno | |
| case $yesno in | |
| Yes|yes|Y|y) | |
| LDAPBASEDN=$response | |
| ;; | |
| esac | |
| done | |
| # | |
| # Get the LDAP DN for this deployment | |
| # | |
| echo "" | |
| echo "" | |
| echo "Please supply the full LDAP DN (DistinguishedName) for the account " | |
| echo "used to access your LDAP (only read access is necessary). " | |
| echo "(e.g. uid=myservice,ou=system)" | |
| echo "We will use the information you enter here to configure your IdP." | |
| echo "" | |
| while [ ${LDAPDN} == "None" ]; do | |
| echo -n "Enter the LDAP DN for the service account used by your IdP: " | |
| read response | |
| if [ ${#response} -lt 8 ]; then | |
| echo "Remember, you need the full LDAP DN" | |
| continue | |
| fi | |
| echo -n "You entered: ${response} Is this correct [Yes/No]? " | |
| read yesno | |
| case $yesno in | |
| Yes|yes|Y|y) | |
| LDAPDN=$response | |
| ;; | |
| esac | |
| done | |
| # | |
| # Get the LDAP PWD for this deployment | |
| # | |
| echo "" | |
| echo "" | |
| echo "Please supply the password for the LDAP DN just specified " | |
| echo "for access your LDAP" | |
| echo "" | |
| echo "We will use the information you enter here to configure your IdP." | |
| echo "" | |
| while [ ${LDAPPWD} == "None" ]; do | |
| echo -n "Enter the password for the account just specified: " | |
| read response | |
| if [ ${#response} -lt 2 ]; then | |
| echo "You should use a stronger password." | |
| continue | |
| fi | |
| echo -n "You entered: ${response} Is this correct [Yes/No]? " | |
| read yesno | |
| case $yesno in | |
| Yes|yes|Y|y) | |
| LDAPPWD=$response | |
| ;; | |
| esac | |
| done | |
| ####################################### | |
| ## support for secrets is deprecated ## | |
| ####################################### | |
| USESECRETS=NO | |
| BURNMOUNT=burn | |
| ############################################################ | |
| ### generate credentials/certs for tomcat and shibboleth ### | |
| ############################################################ | |
| # ensure openssl | |
| command -v openssl >/dev/null 2>&1 || { echo >&2 "ERROR: openssl is required, but doesn't appear to be installed. Aborting..."; exit 1; } | |
| echo "" | |
| echo "Generating credentials..." | |
| echo "" | |
| # | |
| mkdir -p crypto-work-tmp | |
| cd crypto-work-tmp | |
| #IdP Signing key/cert | |
| openssl req -new -nodes -newkey rsa:2048 -subj "/commonName=${FQDN}" -batch -keyout idp-signing.key -out idp-signing.csr >> ${LOGFILE} 2>&1 | |
| echo '[SAN]' > extensions | |
| echo "subjectAltName=DNS:${FQDN},URI:https://${FQDN}/idp/shibboleth" >>extensions | |
| echo "subjectKeyIdentifier=hash" >> extensions | |
| openssl x509 -req -days 1825 -in idp-signing.csr -signkey idp-signing.key -extensions SAN -extfile extensions -out idp-signing.crt >> ${LOGFILE} 2>&1 | |
| # | |
| # IdP Encryption Key | |
| openssl req -new -nodes -newkey rsa:2048 -subj "/commonName=${FQDN}" -batch -keyout idp-encryption.key -out idp-encryption.csr >> ${LOGFILE} 2>&1 | |
| openssl x509 -req -days 1825 -in idp-encryption.csr -signkey idp-encryption.key -extensions SAN -extfile extensions -out idp-encryption.crt >> ${LOGFILE} 2>&1 | |
| # | |
| cp *.key *.crt ../${SHBCREDS} | |
| # build self-signed cert for Tomcat to use with https | |
| # | |
| # ensure keytool | |
| #command -v keytool >/dev/null 2>&1 || { echo >&2 "ERROR: keytool is required, but doesn't appear to be installed. Aborting..."; exit 1; } | |
| # | |
| #if test -f ssl_keystore.jks; then | |
| # mv ssl_keystore.jks ssl_keystore.jks.old | |
| #fi | |
| # | |
| #cat > data.conf << EOF | |
| #${FQDN} | |
| #SUBJ_OU | |
| #SUBJ_O | |
| #SUBJ_CITY | |
| #SUBJ_STATE | |
| #SUBJ_COUNTRY | |
| #yes | |
| # | |
| # | |
| #EOF | |
| # | |
| #STOREPWD=$(uuidgen) | |
| #keytool -genkey -keyalg RSA -alias selfsigned -keystore ssl_keystore.jks -storepass $STOREPWD -validity 360 -keysize 2048 < data.conf >> ${LOGFILE} 2>&1 | |
| #cp ssl_keystore.jks ../${TOMCERT}/keystore.jks | |
| # new https cert/key (PEM) | |
| openssl req -new -nodes -newkey rsa:2048 -subj "/commonName=${FQDN}" -batch -keyout idp-https.key -out idp-https.csr >> ${LOGFILE} 2>&1 | |
| openssl x509 -req -days 365 -in idp-https.csr -signkey idp-https.key -out idp-https.crt >> ${LOGFILE} 2>&1 | |
| # | |
| rm -f idp-https.csr | |
| cp idp-https.* ../${TOMCERT} | |
| # | |
| # OK, next build the shibboleth sealer java keystore | |
| # | |
| echo "" | |
| echo "Creating Shibboleth sealer keystore" | |
| echo "" | |
| # | |
| rm -f mysealer.jks | |
| SEALERPWD=$(uuidgen) | |
| keytool -genseckey -storetype jceks -alias secret1 -providername SunJCE -keyalg AES -keysize 256 -storepass ${SEALERPWD} -keypass ${SEALERPWD} -keystore mysealer.jks >> ${LOGFILE} 2>&1 | |
| cp mysealer.jks ../${SHBCREDS}/sealer.jks | |
| # return to previous work directory | |
| cd .. | |
| #remove work dir | |
| rm -rf crypto-work-tmp/* | |
| rmdir crypto-work-tmp | |
| ############################# | |
| ### generate new metadata ### | |
| ############################# | |
| CERTFILE=${SHBCREDS}/idp-signing.crt | |
| CERT="$(grep -v '^-----' $CERTFILE)" | |
| ENTITYID=https://${FQDN}/idp/shibboleth | |
| BASEURL=https://${FQDN} | |
| cat > ${SHBMD}/idp-metadata.xml <<EOF | |
| <EntityDescriptor entityID="$ENTITYID" xmlns="urn:oasis:names:tc:SAML:2.0:metadata" xmlns:shibmd="urn:mace:shibboleth:metadata:1.0" xmlns:ds="http://www.w3.org/2000/09/xmldsig#"> | |
| <IDPSSODescriptor protocolSupportEnumeration="urn:oasis:names:tc:SAML:2.0:protocol"> | |
| <Extensions> | |
| <shibmd:Scope regexp="false">$SCOPE</shibmd:Scope> | |
| </Extensions> | |
| <KeyDescriptor use="signing"> | |
| <ds:KeyInfo> | |
| <ds:X509Data> | |
| <ds:X509Certificate> | |
| $CERT | |
| </ds:X509Certificate> | |
| </ds:X509Data> | |
| </ds:KeyInfo> | |
| </KeyDescriptor> | |
| <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="$BASEURL/idp/profile/SAML2/Redirect/SLO"/> | |
| <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="$BASEURL/idp/profile/SAML2/POST/SLO"/> | |
| <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="$BASEURL/idp/profile/SAML2/POST-SimpleSign/SLO"/> | |
| <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="$BASEURL/idp/profile/SAML2/Redirect/SSO"/> | |
| <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="$BASEURL/idp/profile/SAML2/POST/SSO"/> | |
| <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="$BASEURL/idp/profile/SAML2/POST-SimpleSign/SSO"/> | |
| <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:SOAP" Location="$BASEURL/idp/profile/SAML2/SOAP/ECP"/> | |
| </IDPSSODescriptor> | |
| </EntityDescriptor> | |
| EOF | |
| ############################################################################## | |
| ### make needed adjustments to IdP config and Dockerfile and Tomcat config ### | |
| ############################################################################## | |
| # | |
| #ensure sed | |
| command -v sed >/dev/null 2>&1 || { echo >&2 "ERROR: sed is required, but doesn't appear to be installed. Aborting..."; exit 1; } | |
| # set entityID, sealer pwd in idp.properties | |
| echo "" | |
| echo "Updating your IdP config and Dockerfile to match the info" | |
| echo " you supplied and with the auto-generated key password." | |
| echo "" | |
| IDP_PROP=${SHBCFG}/idp.properties | |
| if test \! -f ${IDP_PROP}.dist; then | |
| cp ${IDP_PROP} ${IDP_PROP}.dist | |
| fi | |
| sed "s/idp.example.org\/idp\/shibboleth/${FQDN}\/idp\/shibboleth/" ${IDP_PROP}.dist > ${IDP_PROP}.tmp | |
| sed "s/=example.org/=${SCOPE}/" ${IDP_PROP}.tmp > ${IDP_PROP} | |
| rm -f ${IDP_PROP}.tmp | |
| # | |
| # set ldap URL, baseDN, svcDN, pwd in ldap.properties | |
| LDAP_PROP=${SHBCFG}/ldap.properties | |
| if test \! -f ${LDAP_PROP}.dist; then | |
| cp ${LDAP_PROP} ${LDAP_PROP}.dist | |
| fi | |
| sed "s/#idp.authn.LDAP.authenticator/idp.authn.LDAP.authenticator/" ${LDAP_PROP}.dist > ${LDAP_PROP}.tmp | |
| sed "s/= anonSearchAuthenticator/= bindSearchAuthenticator/" ${LDAP_PROP}.tmp > ${LDAP_PROP}.tmp2 | |
| sed "s#ldap://localhost:10389#${LDAPURL}#" ${LDAP_PROP}.tmp2 > ${LDAP_PROP}.tmp3 | |
| sed "s#uid=myservice,ou=system#${LDAPDN}#" ${LDAP_PROP}.tmp3 > ${LDAP_PROP}.tmp4 | |
| sed "s#ou=people,dc=example,dc=org#${LDAPBASEDN}#" ${LDAP_PROP}.tmp4 > ${LDAP_PROP} | |
| rm -f ${LDAP_PROP}.tmp | |
| rm -f ${LDAP_PROP}.tmp2 | |
| rm -f ${LDAP_PROP}.tmp3 | |
| rm -f ${LDAP_PROP}.tmp4 | |
| ################################# | |
| ## generate secrets.properties ## | |
| ################################# | |
| cat > ./${SHBCREDS}/secrets.properties << EOF | |
| # This is a reserved spot for most properties containing passwords or other secrets. | |
| # Created by install at $(date) | |
| # Access to internal AES encryption key | |
| idp.sealer.storePassword = ${SEALERPWD} | |
| idp.sealer.keyPassword = ${SEALERPWD} | |
| # Default access to LDAP authn and attribute stores. | |
| idp.authn.LDAP.bindDNCredential = ${LDAPPWD} | |
| idp.attribute.resolver.LDAP.bindDNCredential = %{idp.authn.LDAP.bindDNCredential:undefined} | |
| # Salt used to generate persistent/pairwise IDs, must be kept secret | |
| #idp.persistentId.salt = changethistosomethingrandom | |
| EOF | |
| # configure SSL keystore password in tomcat's config file: | |
| # conf/tomcat/server.xml replace: keystorePass="password" | |
| # | |
| #echo "Updating Tomcat's server.xml with the generated password" | |
| # | |
| #if test \! -f ${TOMCFG}/server.xml.dist; then | |
| # cp ${TOMCFG}/server.xml ${TOMCFG}/server.xml.dist | |
| #fi | |
| #sed "s#keystorePass=\"password\"#keystorePass=\"${STOREPWD}\"#" ${TOMCFG}/server.xml.dist > ${TOMCFG}/server.xml | |
| # | |
| # copy Dockerfile template | |
| # | |
| case "$BUILD_ENV" in | |
| LINUX | linux) | |
| echo "Generating Dockerfile for a Linux container" | |
| cp /Dockerfile.template ${PWD}/Dockerfile | |
| ;; | |
| WINDOWS | windows) | |
| echo "Generating Dockerfile for a Windows container" | |
| cp /Dockerfile.windows.template ${PWD}/Dockerfile | |
| ;; | |
| *) | |
| echo "Environment variable BUILD_ENV was not found or had an incorrect value (only LINUX|WINDOWS is supported). Terminating." | |
| exit 1 | |
| ;; | |
| esac | |
| #copy files directly instead of zipping | |
| mkdir -p /output-tmp | |
| cp -R ./* /output-tmp | |
| rm -f /output-tmp/configBuilder.sh | |
| rm -f /output-tmp/setup.log | |
| cp -Rf /output-tmp/* /output | |
| rm -rf /output-tmp/* | |
| rmdir /output-tmp | |
| echo "wrote config to output location (typically PWD)"... | |
| ############################################################################################################################ | |
| ### notify user of next steps (docker build and docker run commands, based on burn/mount and chosen directory locations) ### | |
| ############################################################################################################################ | |
| echo "" | |
| echo "Your initial configuration has been successfully built." | |
| echo "" | |
| echo "" | |
| ################################# | |
| ### cleanup/remove temp files ### | |
| ################################# | |
| rm -f ${TMP_DIR_S}.zip | |
| rm -rf ${TMP_DIR_S}/* | |
| rmdir ${TMP_DIR_S} | |
| rm -f ${TMP_DIR_T}.zip | |
| rm -rf ${TMP_DIR_T}/* | |
| rmdir ${TMP_DIR_T} | |
| # | |
| echo config saved to configured local directory | |
| echo "" | |
| echo "" |