changes for IdP 5.0

Dockerfile

@@ -1,4 +1,5 @@
-FROM centos:centos7
+FROM rockylinux:8.8
+#FROM --platform=$TARGETPLATFORM rockylinux:8.8
 
 # Install needed utils
 RUN rm -fr /var/cache/yum/* && yum clean all && yum -y install --setopt=tsflags=nodocs epel-release && \

Dockerfile.template

@@ -1,4 +1,4 @@
-FROM tier/shib-idp:latest
+FROM i2incommon/shib-idp:latest5
 
 # The build args below can be used at build-time to tell the build process where to find your config files.  This is for a completely burned-in config.
 ARG TOMCFG=config/tomcat
@@ -22,7 +22,7 @@ ADD ${SHBVIEWS} /opt/shibboleth-idp/views
 #ADD ${SHBMSGS} /opt/shibboleth-idp/messages
 ADD ${SHBMD} /opt/shibboleth-idp/metadata
 
-# new for 4.1.0: install the Duo OIDC integration
+# new for 4.1.0+: install the Duo OIDC integration
 #      https://wiki.shibboleth.net/confluence/display/IDPPLUGINS/DuoOIDCAuthnConfiguration
 # For unattended install of plugins, trust must be manually bootstrapped.  You should never automate the retreival of this file (like this) for production.
 #ADD https://github.internet2.edu/raw/docker/ShibbIdP_ConfigBuilder_Container/master/oidc-common-truststore.asc /opt/shibboleth-idp/credentials/net.shibboleth.idp.plugin.authn.duo.nimbus/truststore.asc

Jenkinsfile

@@ -1,76 +1,160 @@
-node {
 
-  stage 'Checkout'
+pipeline {
+    agent { node { label 'docker-multi-arch' } }
+    environment { 
+        maintainer = "t"
+        imagename = 's'
+        tag = 'l'
+        DOCKERHUBPW=credentials('tieradmin-dockerhub-pw')
 
-    checkout scm
-
-  stage 'Acquire util'
-
-    sh 'mkdir -p tmp && mkdir -p bin'
-    dir('tmp'){
-      git([ url: "https://github.internet2.edu/docker/util.git",
-          credentialsId: "jenkins-github-access-token" ])
-      sh 'rm -rf ./bin/windows/'
-      sh 'mv -f ./bin/* ../bin/.'
     }
-    sh 'rm -rf tmp'
+    stages {
+        stage('Setting build context') {
+            steps {
+                script {
+                    maintainer = maintain()
+                    imagename = imagename()
+                    if(env.BRANCH_NAME == "master") {
+                       tag = "latest"
+                    } else {
+                       tag = env.BRANCH_NAME
+                    }
+                    if(!imagename){
+                        echo "You must define an imagename in common.bash"
+                        currentBuild.result = 'FAILURE'
+                     }
+                    sh 'mkdir -p tmp && mkdir -p bin'
+                    dir('tmp'){
+                      git([ url: "https://github.internet2.edu/docker/util.git", credentialsId: "jenkins-github-access-token" ])
+                      sh 'rm -rf ../bin/*'
+                      sh 'mv ./bin/* ../bin/.'
+                    }
+                    // Build and test scripts expect that 'tag' is present in common.bash. This is necessary for both Jenkins and standalone testing.
+                    // We don't care if there are more 'tag' assignments there. The latest one wins.
+                    sh "echo >> common.bash ; echo \"tag=\\\"${tag}\\\"\" >> common.bash ; echo common.bash ; cat common.bash"
+                }  
+             }
+        }    
+        stage('Clean') {
+            steps {
+                script {
+                   try{
+                     sh 'bin/destroy.sh >> debug'
+                   } catch(error) {
+                     def error_details = readFile('./debug');
+                     def message = "BUILD ERROR: There was a problem building the Base Image. \n\n ${error_details}"
+                     sh "rm -f ./debug"
+                     handleError(message)
+                   }
+                }
+            }
+        } 
+        stage('Build') {
+            steps {
+                script {
+                  try{
+                        sh 'docker login -u tieradmin -p $DOCKERHUBPW'
+                        // fails if already exists
+                        // sh 'docker buildx create --use --name multiarch --append'
+                        sh 'docker buildx inspect --bootstrap'
+                        sh 'docker buildx ls'
+                        sh "docker buildx build --platform linux/amd64 -t ${imagename}_${tag} --load ."
+                        sh "docker buildx build --platform linux/arm64 -t ${imagename}_${tag}:arm64 --load ."
+                  } catch(error) {
+                     def error_details = readFile('./debug');
+                      def message = "BUILD ERROR: There was a problem building ${maintainer}/${imagename}:${tag}. \n\n ${error_details}"
+                     sh "rm -f ./debug"
+                     handleError(message)
+                  }
+                }
+            }
+        }
+        stage('Scan') {
+            steps {
+                script {
+                   try {
+                         echo "Starting security scan..."
+                         // Install trivy and HTML template
+                         sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.31.1'
+                         sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/html.tpl > html.tpl'
 
-  stage 'Setting build context'
-
-    def maintainer = maintainer()
-    def imagename = imagename()
-    def tag
-
-    // Tag images created on master branch with 'latest'
-    if(env.BRANCH_NAME == "master"){
-      tag = "latest"
-    }else{
-      tag = env.BRANCH_NAME
-    }
-
-    if(!imagename){
-      echo "You must define an imagename in common.bash"
-      currentBuild.result = 'FAILURE'
-     }
-     if(maintainer){
-      echo "Building ${imagename}:${tag} for ${maintainer}"
-     }
-
-  stage 'Build'
-    try{
-      sh 'bin/build.sh &> debug'
-    } catch(error) {
-      def error_details = readFile('./debug');
-      def message = "BUILD ERROR: There was a problem building ${imagename}:${tag}. \n\n ${error_details}"
-      sh "rm -f ./debug"
-      handleError(message)
+                         // Scan container for all vulnerability levels
+                         echo "Scanning for all vulnerabilities..."
+                         sh 'mkdir -p reports'
+                         // 2 commented scans below are OS-only, in case timeout issues occur
+                         sh "trivy image --timeout 10m --ignore-unfixed --vuln-type os,library --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan.html ${imagename}_${tag}"
+                         // sh "trivy image --ignore-unfixed --vuln-type os --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan.html ${imagename}_${tag}"
+                         sh "trivy image --timeout 10m --ignore-unfixed --vuln-type os,library --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan-arm.html ${imagename}_${tag}:arm64"
+                         // sh "trivy image --ignore-unfixed --vuln-type os --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan-arm.html ${imagename}_${tag}:arm64"
+                         publishHTML target : [
+                             allowMissing: true,
+                             alwaysLinkToLastBuild: true,
+                             keepAll: true,
+                             reportDir: 'reports',
+                             reportFiles: 'container-scan.html',
+                             reportName: 'Security Scan',
+                             reportTitles: 'Security Scan'
+                          ]
+                         publishHTML target : [
+                             allowMissing: true,
+                             alwaysLinkToLastBuild: true,
+                             keepAll: true,
+                             reportDir: 'reports',
+                             reportFiles: 'container-scan-arm.html',
+                             reportName: 'Security Scan (ARM)',
+                             reportTitles: 'Security Scan (ARM)'
+                          ]
+                         // Scan again and fail on CRITICAL vulns
+                         //below can be temporarily commented to prevent build from failing
+                         echo "Scanning for CRITICAL vulnerabilities only (fatal)..."
+                         // 2 scans below are temp (os scan only, no lib scan), while timeout issues are worked
+                         // sh "trivy image --ignore-unfixed --vuln-type os,library --exit-code 1 --severity CRITICAL ${imagename}_${tag}"
+                         // sh "trivy image --ignore-unfixed --vuln-type os,library --exit-code 1 --severity CRITICAL ${imagename}_${tag}:arm64"
+                         sh "trivy image --ignore-unfixed --vuln-type os --exit-code 1 --severity CRITICAL ${imagename}_${tag}"
+                         sh "trivy image --ignore-unfixed --vuln-type os --exit-code 1 --severity CRITICAL ${imagename}_${tag}:arm64"
+                         //echo "Skipping scan for CRITICAL vulnerabilities (temporary)..."
+                   } catch(error) {
+                           def error_details = readFile('./debug');
+                           def message = "BUILD ERROR: There was a problem scanning ${imagename}:${tag}. \n\n ${error_details}"
+                           sh "rm -f ./debug"
+                           handleError(message)
+                   }
+                }
+            }
+        }
+        stage('Push') {
+            steps {
+                script {
+                        sh 'docker login -u tieradmin -p $DOCKERHUBPW'
+                        // fails if already exists
+                        // sh 'docker buildx create --use --name multiarch --append'
+                        sh 'docker buildx inspect --bootstrap'
+                        sh 'docker buildx ls'
+                        echo "Pushing image to dockerhub..."
+                        sh "docker buildx build --push --platform linux/arm64,linux/amd64 -t ${maintainer}/${imagename}:${tag} ."
+                 }
+            }
+        }
+        stage('Notify') {
+            steps{
+                echo "$maintainer"
+                slackSend color: 'good', message: "$maintainer/$imagename:$tag pushed to DockerHub"
+            }
+        }
     }
-
-/*  stage 'Tests'
-  
-    try{
-      sh 'bin/test.sh &> debug'
-    } catch(error) {
-      def error_details = readFile('./debug');
-      def message = "BUILD ERROR: There was a problem building ${imagename}:${tag}. \n\n ${error_details}"
-      sh "rm -f ./debug"
-      handleError(message)
-    }*/
-
-  stage 'Push'
-
-    docker.withRegistry('https://registry.hub.docker.com/',   "dockerhub-$maintainer") {
-          def baseImg = docker.build("$maintainer/$imagename")
-          baseImg.push("$tag")
+    post { 
+        always { 
+            echo 'Done Building.'
+        }
+        failure {
+            // slackSend color: 'good', message: "Build failed"
+            handleError("BUILD ERROR: There was a problem building ${maintainer}/${imagename}:${tag}.")
+        }
     }
-
-  stage 'Notify'
-
-    slackSend color: 'good', message: "$maintainer/$imagename:$tag pushed to DockerHub"
-
 }
 
-def maintainer() {
+
+def maintain() {
   def matcher = readFile('common.bash') =~ 'maintainer="(.+)"'
   matcher ? matcher[0][1] : 'tier'
 }
@@ -84,6 +168,7 @@ def handleError(String message){
   echo "${message}"
   currentBuild.setResult("FAILED")
   slackSend color: 'danger', message: "${message}"
-  //step([$class: 'Mailer', notifyEveryUnstableBuild: true, recipients: 'chubing@internet2.edu', sendToIndividuals: true])
+  //step([$class: 'Mailer', notifyEveryUnstableBuild: true, recipients: 'pcaskey@internet2.edu', sendToIndividuals: true])
   sh 'exit 1'
 }
+

common.bash

@@ -1,5 +1,6 @@
 registry="docker.io"
-maintainer="tier"
+maintainer="i2incommon"
+previous_maintainer="tier"
 basename="shibbidp_configbuilder_container"
 imagename="shibbidp_configbuilder_container"
-version="0.7"
+version="0.8"

configBuilder.sh

@@ -7,9 +7,11 @@ cd /scriptrun
 
 
 # script config items
-SHB_CFG_URL=https://github.internet2.edu/docker/shib-idp-conftree/archive/4.1-InCommon.zip
-TOM_CFG_URL=https://github.internet2.edu/docker/shib-idp-tomcat-config/archive/master.zip
-TMP_DIR_S=/tmp/4.1-InCommon
+#SHB_CFG_URL=https://github.internet2.edu/docker/shib-idp-conftree/archive/4.1-InCommon.zip
+SHB_CFG_URL=https://github.internet2.edu/docker/shib-idp-conftree/archive/refs/heads/5.0-InCommon.zip
+#TOM_CFG_URL=https://github.internet2.edu/docker/shib-idp-tomcat-config/archive/master.zip
+TOM_CFG_URL=https://github.internet2.edu/docker/shib-idp-tomcat-config/archive/refs/heads/tomcat10-1.zip
+TMP_DIR_S=/tmp/5.0-InCommon
 TMP_DIR_T=/tmp/tomcfg
 TMP_DIR_D=/tmp/buildfiles
 
@@ -78,17 +80,17 @@ unzip -o -d ${TMP_DIR_T} ${TMP_DIR_T}.zip > /dev/null 2>&1
 ### cp relevant folders from expanded zip to appropriate locations at $PWD/* ###
 ################################################################################
 #
-cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.1-InCommon/conf/idp.properties ${SHBCFG}
-cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.1-InCommon/conf/ldap.properties ${SHBCFG}
-cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.1-InCommon/conf/metadata-providers.xml ${SHBCFG}
-cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.1-InCommon/conf/attribute-resolver.xml ${SHBCFG}
-cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.1-InCommon/conf/attribute-filter.xml ${SHBCFG}
-cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.1-InCommon/conf/logback.xml ${SHBCFG}
-cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.1-InCommon/views/* ${SHBVIEWS}
-cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.1-InCommon/credentials/inc-md-cert-mdq.pem ${SHBCREDS}
-cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.1-InCommon/credentials/sealer.kver ${SHBCREDS}
-cp -rf ${TMP_DIR_T}/shib-idp-tomcat-config-master/conf/* ${TOMCFG}
-cp -rf ${TMP_DIR_T}/shib-idp-tomcat-config-master/wwwroot/* ${TOMWWWROOT}
+cp -rf ${TMP_DIR_S}/shib-idp-conftree-5.0-InCommon/conf/idp.properties ${SHBCFG}
+cp -rf ${TMP_DIR_S}/shib-idp-conftree-5.0-InCommon/conf/ldap.properties ${SHBCFG}
+cp -rf ${TMP_DIR_S}/shib-idp-conftree-5.0-InCommon/conf/metadata-providers.xml ${SHBCFG}
+cp -rf ${TMP_DIR_S}/shib-idp-conftree-5.0-InCommon/conf/attribute-resolver.xml ${SHBCFG}
+cp -rf ${TMP_DIR_S}/shib-idp-conftree-5.0-InCommon/conf/attribute-filter.xml ${SHBCFG}
+cp -rf ${TMP_DIR_S}/shib-idp-conftree-5.0-InCommon/conf/logback.xml ${SHBCFG}
+cp -rf ${TMP_DIR_S}/shib-idp-conftree-5.0-InCommon/views/* ${SHBVIEWS}
+cp -rf ${TMP_DIR_S}/shib-idp-conftree-5.0-InCommon/credentials/inc-md-cert-mdq.pem ${SHBCREDS}
+cp -rf ${TMP_DIR_S}/shib-idp-conftree-5.0-InCommon/credentials/sealer.kver ${SHBCREDS}
+cp -rf ${TMP_DIR_T}/shib-idp-tomcat-config-tomcat10-1/conf/* ${TOMCFG}
+cp -rf ${TMP_DIR_T}/shib-idp-tomcat-config-tomcat10-1/wwwroot/* ${TOMWWWROOT}
 
 
 #####################################################
@@ -287,30 +289,47 @@ openssl x509 -req -days 1825 -in idp-encryption.csr -signkey idp-encryption.key
 #
 cp *.key *.crt ../${SHBCREDS}
 
+
+
+
+
+
+
 # build self-signed cert for Tomcat to use with https
 #
 # ensure keytool
-command -v keytool >/dev/null 2>&1 || { echo >&2 "ERROR: keytool is required, but doesn't appear to be installed.  Aborting..."; exit 1; }
+#command -v keytool >/dev/null 2>&1 || { echo >&2 "ERROR: keytool is required, but doesn't appear to be installed.  Aborting..."; exit 1; }
+#
+#if test -f ssl_keystore.jks; then
+#    mv ssl_keystore.jks ssl_keystore.jks.old
+#fi
+#
+#cat > data.conf << EOF
+#${FQDN}
+#SUBJ_OU
+#SUBJ_O
+#SUBJ_CITY
+#SUBJ_STATE
+#SUBJ_COUNTRY
+#yes
+#
+#
+#EOF
+#
+#STOREPWD=$(uuidgen)
+#keytool -genkey -keyalg RSA -alias selfsigned -keystore ssl_keystore.jks -storepass $STOREPWD -validity 360 -keysize 2048 < data.conf >> ${LOGFILE} 2>&1
+#cp ssl_keystore.jks ../${TOMCERT}/keystore.jks
 
-if test -f ssl_keystore.jks; then
-    mv ssl_keystore.jks ssl_keystore.jks.old
-fi
+# new https cert/key (PEM)
+openssl req -new -nodes -newkey rsa:2048 -subj "/commonName=${FQDN}" -batch -keyout idp-https.key -out idp-https.csr >> ${LOGFILE} 2>&1
+openssl x509 -req -days 365 -in idp-https.csr -signkey idp-https.key -out idp-https.crt >> ${LOGFILE} 2>&1
+#
+rm -f idp-https.csr
+cp idp-https.* ../${TOMCERT}
 
-cat > data.conf << EOF
-${FQDN}
-SUBJ_OU
-SUBJ_O
-SUBJ_CITY
-SUBJ_STATE
-SUBJ_COUNTRY
-yes
 
 
-EOF
 
-STOREPWD=$(uuidgen)
-keytool -genkey -keyalg RSA -alias selfsigned -keystore ssl_keystore.jks -storepass $STOREPWD -validity 360 -keysize 2048 < data.conf >> ${LOGFILE} 2>&1
-cp ssl_keystore.jks ../${TOMCERT}/keystore.jks
 
 #
 # OK, next build the shibboleth sealer java keystore
@@ -429,12 +448,12 @@ EOF
 # configure SSL keystore password in tomcat's config file: 
 #    conf/tomcat/server.xml replace: keystorePass="password"
 #
-echo "Updating Tomcat's server.xml with the generated password"
-
-if test \! -f ${TOMCFG}/server.xml.dist; then
-    cp ${TOMCFG}/server.xml ${TOMCFG}/server.xml.dist
-fi
-sed "s#keystorePass=\"password\"#keystorePass=\"${STOREPWD}\"#" ${TOMCFG}/server.xml.dist > ${TOMCFG}/server.xml
+#echo "Updating Tomcat's server.xml with the generated password"
+#
+#if test \! -f ${TOMCFG}/server.xml.dist; then
+#    cp ${TOMCFG}/server.xml ${TOMCFG}/server.xml.dist
+#fi
+#sed "s#keystorePass=\"password\"#keystorePass=\"${STOREPWD}\"#" ${TOMCFG}/server.xml.dist > ${TOMCFG}/server.xml
 
 
 #