From 0f3690329105f5781039368caf098e3b6e370385 Mon Sep 17 00:00:00 2001
From: Paul Caskey <pcaskey@internet2.edu>
Date: Mon, 18 Jun 2018 15:05:19 -0400
Subject: [PATCH 01/34] mods for using upstream container
---
Dockerfile | 22 +++--
Dockerfile.template | 25 +++++
configBuilder.sh | 232 +++++++++++++++++++++++---------------------
3 files changed, 159 insertions(+), 120 deletions(-)
create mode 100644 Dockerfile.template
diff --git a/Dockerfile b/Dockerfile
index 0806af3..bab0ad5 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -5,19 +5,25 @@ RUN rm -fr /var/cache/yum/* && yum clean all && yum -y install --setopt=tsflags=
yum -y install wget zip unzip rsync openssl && \
yum -y clean all
-#download/install JRE
-ENV JAVA_HOME /usr/java/latest
+#download/install Java
+ENV JAVA_HOME /usr
-RUN wget -nv --no-cookies --no-check-certificate "http://javadl.oracle.com/webapps/download/AutoDL?BundleId=233161_512cd62ec5174c3487ac17c61aaa89e8" -O /tmp/jre-8u171-linux-x64.rpm && \
- yum -y install /tmp/jre-8u171-linux-x64.rpm && \
- rm -f /tmp/jre-8u171-linux-x64.rpm && \
- alternatives --install /usr/bin/java jar $JAVA_HOME/bin/java 200000 && \
- alternatives --install /usr/bin/javaws javaws $JAVA_HOME/bin/javaws 200000 && \
- alternatives --install /usr/bin/javac javac $JAVA_HOME/bin/javac 200000
+# Install Zulu Java
+RUN rpm --import http://repos.azulsystems.com/RPM-GPG-KEY-azulsystems \
+ && curl -o /etc/yum.repos.d/zulu.repo http://repos.azulsystems.com/rhel/zulu.repo \
+ && yum -y install zulu-8 && alternatives --install /usr/bin/java java $JAVA_HOME/bin/java 200000
+
+#RUN wget -nv --no-cookies --no-check-certificate "http://javadl.oracle.com/webapps/download/AutoDL?BundleId=233161_512cd62ec5174c3487ac17c61aaa89e8" -O /tmp/jre-8u171-linux-x64.rpm && \
+# yum -y install /tmp/jre-8u171-linux-x64.rpm && \
+# rm -f /tmp/jre-8u171-linux-x64.rpm && \
+# alternatives --install /usr/bin/java jar $JAVA_HOME/bin/java 200000 && \
+# alternatives --install /usr/bin/javaws javaws $JAVA_HOME/bin/javaws 200000 && \
+# alternatives --install /usr/bin/javac javac $JAVA_HOME/bin/javac 200000
#copy files
RUN mkdir -p /output && mkdir -p /scriptrun
COPY configBuilder.sh /scriptrun
+COPY Dockerfile.template /
RUN chmod 755 /scriptrun/configBuilder.sh
CMD /scriptrun/configBuilder.sh
diff --git a/Dockerfile.template b/Dockerfile.template
new file mode 100644
index 0000000..440deb2
--- /dev/null
+++ b/Dockerfile.template
@@ -0,0 +1,25 @@
+FROM tier/shib-idp:newJavaTomcat
+
+# The build args below can be used at build-time to tell the build process where to find your config files. This is for a completely burned-in config.
+ARG TOMCFG=config/tomcat
+ARG TOMCERT=credentials/tomcat
+ARG TOMWWWROOT=wwwroot
+ARG SHBCFG=config/shib-idp/conf
+ARG SHBCREDS=credentials/shib-idp
+ARG SHBVIEWS=config/shib-idp/views
+ARG SHBEDWAPP=config/shib-idp/edit-webapp
+ARG SHBMSGS=config/shib-idp/messages
+ARG SHBMD=config/shib-idp/metadata
+
+# copy in the needed config files
+ADD ${TOMCFG} /usr/local/tomcat/conf
+ADD ${TOMCERT} /opt/certs
+ADD ${TOMWWWROOT} /usr/local/tomcat/webapps/ROOT
+ADD ${SHBCFG} /opt/shibboleth-idp/conf
+ADD ${SHBCREDS} /opt/shibboleth-idp/credentials
+ADD ${SHBVIEWS} /opt/shibboleth-idp/views
+ADD ${SHBEDWAPP} /opt/shibboleth-idp/edit-webapp
+ADD ${SHBMSGS} /opt/shibboleth-idp/messages
+ADD ${SHBMD} /opt/shibboleth-idp/metadata
+
+
diff --git a/configBuilder.sh b/configBuilder.sh
index c4e6614..4ee1f26 100755
--- a/configBuilder.sh
+++ b/configBuilder.sh
@@ -12,13 +12,13 @@ TOM_CFG_URL=https://github.internet2.edu/docker/shib-idp-tomcat-config/archive/m
TMP_DIR_S=/tmp/3.3release
TMP_DIR_T=/tmp/tomcfg
TMP_DIR_D=/tmp/buildfiles
-LINUX_BUILD_FILES_URL=https://github.internet2.edu/docker/shib-idp/archive/master.zip
-WINDOWS_BUILD_FILES_URL=https://github.internet2.edu/docker/ShibbIdP_noVM_Windows/archive/master.zip
+#LINUX_BUILD_FILES_URL=https://github.internet2.edu/docker/shib-idp/archive/master.zip
+#WINDOWS_BUILD_FILES_URL=https://github.internet2.edu/docker/ShibbIdP_noVM_Windows/archive/master.zip
# default directories
TOMCFG=config/tomcat
-TOMLOG=logs/tomcat
+#TOMLOG=logs/tomcat
TOMCERT=credentials/tomcat
TOMWWWROOT=wwwroot
SHBCFG=config/shib-idp/conf
@@ -27,7 +27,7 @@ SHBVIEWS=config/shib-idp/views
SHBEDWAPP=config/shib-idp/edit-webapp
SHBMSGS=config/shib-idp/messages
SHBMD=config/shib-idp/metadata
-SHBLOG=logs/shib-idp
+#SHBLOG=logs/shib-idp
# logs
LOGFILE=${PWD}/setup.log
@@ -50,7 +50,7 @@ USESECRETS=None
### ensure directory structure ###
##################################
mkdir -p config/tomcat
-mkdir -p logs/tomcat
+#mkdir -p logs/tomcat
mkdir -p credentials/tomcat
mkdir -p wwwroot
mkdir -p config/shib-idp/conf
@@ -59,42 +59,43 @@ mkdir -p config/shib-idp/views
mkdir -p config/shib-idp/edit-webapp
mkdir -p config/shib-idp/messages
mkdir -p config/shib-idp/metadata
-mkdir -p logs/shib-idp
+#mkdir -p logs/shib-idp
###########################################################
### grab the docker build files, depending on OS choice ###
###########################################################
-# first, check for wget
-command -v wget >/dev/null 2>&1 || { echo >&2 "ERROR: wget is required, but doesn't appear to be installed. Aborting..."; exit 1; }
-
-
-case "$BUILD_ENV" in
-LINUX | linux)
- echo "Getting build files for a Linux container"
- wget -q -O ${TMP_DIR_D}.zip ${LINUX_BUILD_FILES_URL} > /dev/null
- unzip -o -d ${TMP_DIR_D} ${TMP_DIR_D}.zip > /dev/null 2>&1
- cp -rf ${TMP_DIR_D}/shib-idp-master/* /output
- ;;
-WINDOWS | windows)
- echo "Getting build files for a Windows container"
- wget -q -O ${TMP_DIR_D}.zip ${WINDOWS_BUILD_FILES_URL} > /dev/null
- unzip -o -d ${TMP_DIR_D} ${TMP_DIR_D}.zip > /dev/null 2>&1
- cp -rf ${TMP_DIR_D}/ShibbIdP_noVM_Windows-master/* /output
- ;;
-*)
- echo "Environment variable BUILD_ENV was not found or had an incorrect value (only LINUX|WINDOWS is supported). Terminating."
- exit 1
- ;;
-esac
-
-rm -f /output/configBuilder.sh > /dev/null 2>&1
-rm -f /output/setup.log > /dev/null 2>&1
-rm -f /output/README.md > /dev/null 2>&1
-rm -rf /output/shib-idp-master/*
-
-#grab copy of Dockerfile in working dir
-cp -f /output/Dockerfile .
+## first, check for wget
+#command -v wget >/dev/null 2>&1 || { echo >&2 "ERROR: wget is required, but doesn't appear to be installed. Aborting..."; exit 1; }
+#
+#
+#case "$BUILD_ENV" in
+#LINUX | linux)
+# echo "Getting build files for a Linux container"
+# wget -q -O ${TMP_DIR_D}.zip ${LINUX_BUILD_FILES_URL} > /dev/null
+# unzip -o -d ${TMP_DIR_D} ${TMP_DIR_D}.zip > /dev/null 2>&1
+# cp -rf ${TMP_DIR_D}/shib-idp-master/* /output
+# ;;
+#WINDOWS | windows)
+# echo "Getting build files for a Windows container"
+# wget -q -O ${TMP_DIR_D}.zip ${WINDOWS_BUILD_FILES_URL} > /dev/null
+# unzip -o -d ${TMP_DIR_D} ${TMP_DIR_D}.zip > /dev/null 2>&1
+# cp -rf ${TMP_DIR_D}/ShibbIdP_noVM_Windows-master/* /output
+# ;;
+#*)
+# echo "Environment variable BUILD_ENV was not found or had an incorrect value (only LINUX|WINDOWS is supported). Terminating."
+# exit 1
+# ;;
+#esac
+#
+#rm -f /output/configBuilder.sh > /dev/null 2>&1
+#rm -f /output/setup.log > /dev/null 2>&1
+#rm -f /output/README.md > /dev/null 2>&1
+#rm -rf /output/shib-idp-master/*
+#
+##grab copy of Dockerfile in working dir
+#cp -f /output/Dockerfile .
+##############################################################
##############################################################
@@ -131,40 +132,42 @@ cp -rf ${TMP_DIR_T}/shib-idp-tomcat-config-master/wwwroot/* ${TOMWWWROOT}
#
# Get Oracle license agreement from the user
#
-echo ""
-echo "The Shibboleth IdP requires that you use Oracle Java. The Docker container "
-echo "should be configured to download it for you as part of the Docker image build "
-echo "process, but, before we proceed, you must agree to the Oracle Binary Code "
-echo "License Agreement for Java SE (\"Oracle License\"). Please review:"
-echo ""
-echo " http://www.oracle.com/technetwork/java/javase/terms/license/index.html"
-echo ""
-echo "By agreeing to the Oracle License, you acknowledge that Internet2 is not"
-echo "distributing the Java software and, to the extent an issue arises"
-echo "related to your use of Oracle Java in the TIER software package, you and"
-echo "Internet2 agree to hold each other harmless from any third party claims."
-echo ""${PWD}
+#echo ""
+#echo "The Shibboleth IdP requires that you use Oracle Java. The Docker container "
+#echo "should be configured to download it for you as part of the Docker image build "
+#echo "process, but, before we proceed, you must agree to the Oracle Binary Code "
+#echo "License Agreement for Java SE (\"Oracle License\"). Please review:"
+#echo ""
+#echo " http://www.oracle.com/technetwork/java/javase/terms/license/index.html"
+#echo ""
+#echo "By agreeing to the Oracle License, you acknowledge that Internet2 is not"
+#echo "distributing the Java software and, to the extent an issue arises"
+#echo "related to your use of Oracle Java in the TIER software package, you and"
+#echo "Internet2 agree to hold each other harmless from any third party claims."
+#echo ""${PWD}
#
-while [ ${ORACLE_JAVA_APPROVAL} == "None" ]; do
- echo -n "Do you agree to the terms of the Oracle license [Yes/No]? "
- read response
- case $response in
- Yes)
- ORACLE_JAVA_APPROVAL=$response
- ;;
- No)
- ORACLE_JAVA_APPROVAL=$response
- ;;
- *)
- echo "Please respond with Yes or No"
- esac
-done
-if [ ${ORACLE_JAVA_APPROVAL} != "Yes" ]; then
- echo ""
- echo "In order to use this implementation of the Shibboleth IdP, you must"
- echo "use Oracle Java and thus agree to the terms of the Oracle license."
- exit 0
-fi
+#while [ ${ORACLE_JAVA_APPROVAL} == "None" ]; do
+# echo -n "Do you agree to the terms of the Oracle license [Yes/No]? "
+# read response
+# case $response in
+# Yes)
+# ORACLE_JAVA_APPROVAL=$response
+# ;;
+# No)
+# ORACLE_JAVA_APPROVAL=$response
+# ;;
+# *)
+# echo "Please respond with Yes or No"
+# esac
+#done
+#if [ ${ORACLE_JAVA_APPROVAL} != "Yes" ]; then
+# echo ""
+# echo "In order to use this implementation of the Shibboleth IdP, you must"
+# echo "use Oracle Java and thus agree to the terms of the Oracle license."
+# exit 0
+#fi
+
+
#
# Get the FQDN of the server
#
@@ -523,50 +526,49 @@ rm -f ${LDAP_PROP}.tmp5
# adjust Dockerfile for java and for a burned-in config, if needed
#
#java first
-if test \! -f Dockerfile.dist; then
- cp Dockerfile Dockerfile.dist
-fi
-cat <<EOF > docker_edit.sed
-s/^# ENV /ENV /
-s/^# RUN /RUN /
-s/^# yum/ yum/
-s/^# rm/ rm/
-s/^# alternatives/ alternatives/
-s/^# http/ http/
-s/^# \&\&/ \&\&/
-EOF
-rm -f Dockerfile
-sed -f docker_edit.sed Dockerfile.dist > Dockerfile
-rm -f docker_edit.sed
-
-
-if [ ${BURNMOUNT} == "burn" ] || [ ${BURNMOUNT} == "hybrid" ]; then
- echo "Configuring Docker for burned-in/hybrid configuration."
-
- mv -f Dockerfile Dockerfile.setup
- cat <<EOF > docker_edit.sed
-s/^## ADD /ADD /
-/^VOLUME/,+10 s/^/#/
-EOF
- rm -f Dockerfile
- sed -f docker_edit.sed Dockerfile.setup > Dockerfile
- rm -f Dockerfile.setup
- rm -f docker_edit.sed
-
-fi
-
-if [ ${USESECRETS} == "YES" ] && [ ${BUILD_ENV} == "WINDOWS" ]; then
- echo "Configuring Dockerfile for use of secrets in a Windows container."
+#if test \! -f Dockerfile.dist; then
+# cp Dockerfile Dockerfile.dist
+#fi
+#cat <<EOF > docker_edit.sed
+#s/^# ENV /ENV /
+#s/^# RUN /RUN /
+#s/^# yum/ yum/
+#s/^# rm/ rm/
+#s/^# alternatives/ alternatives/
+#s/^# http/ http/
+#s/^# \&\&/ \&\&/
+#EOF
+#rm -f Dockerfile
+#sed -f docker_edit.sed Dockerfile.dist > Dockerfile
+#rm -f docker_edit.sed
+
+#if [ ${BURNMOUNT} == "burn" ] || [ ${BURNMOUNT} == "hybrid" ]; then
+# echo "Configuring Docker for burned-in/hybrid configuration."
+#
+# mv -f Dockerfile Dockerfile.setup
+# cat <<EOF > docker_edit.sed
+#s/^## ADD /ADD /
+#/^VOLUME/,+10 s/^/#/
+#EOF
+# rm -f Dockerfile
+# sed -f docker_edit.sed Dockerfile.setup > Dockerfile
+# rm -f Dockerfile.setup
+# rm -f docker_edit.sed
+#
+#fi
- mv -f Dockerfile Dockerfile.setup
- cat <<EOF > docker_edit.sed
-s/^#!# RUN /RUN /
-EOF
- rm -f Dockerfile
- sed -f docker_edit.sed Dockerfile.setup > Dockerfile
- rm -f Dockerfile.setup
- rm -f docker_edit.sed
-fi
+#if [ ${USESECRETS} == "YES" ] && [ ${BUILD_ENV} == "WINDOWS" ]; then
+# echo "Configuring Dockerfile for use of secrets in a Windows container."
+#
+# mv -f Dockerfile Dockerfile.setup
+# cat <<EOF > docker_edit.sed
+#s/^#!# RUN /RUN /
+#EOF
+# rm -f Dockerfile
+# sed -f docker_edit.sed Dockerfile.setup > Dockerfile
+# rm -f Dockerfile.setup
+# rm -f docker_edit.sed
+#fi
# configure SSL keystore password in tomcat's config file:
# conf/tomcat/server.xml replace: keystorePass="password"
@@ -579,6 +581,12 @@ fi
sed "s#keystorePass=\"password\"#keystorePass=\"${STOREPWD}\"#" ${TOMCFG}/server.xml.dist > ${TOMCFG}/server.xml
+#
+# copy Dockerfile template
+#
+cp /Dockerfile.template ${PWD}/Dockerfile
+
+
# if the user chose to use secrets, then generate a directory containing the config with secrets removed
if [ ${USESECRETS} == "YES" ]; then
echo ""
From 156336bcebdcca1b20dbaac975d6e6721d729ba5 Mon Sep 17 00:00:00 2001
From: Paul Caskey <pcaskey@internet2.edu>
Date: Mon, 18 Jun 2018 15:27:02 -0400
Subject: [PATCH 02/34] fix typo
---
Dockerfile.template | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Dockerfile.template b/Dockerfile.template
index 440deb2..d851db6 100644
--- a/Dockerfile.template
+++ b/Dockerfile.template
@@ -1,4 +1,4 @@
-FROM tier/shib-idp:newJavaTomcat
+FROM tier/shib-idp:latest
# The build args below can be used at build-time to tell the build process where to find your config files. This is for a completely burned-in config.
ARG TOMCFG=config/tomcat
From 91afe86eff6589d377979b55101fe389ddcaa047 Mon Sep 17 00:00:00 2001
From: Paul Caskey <pcaskey@internet2.edu>
Date: Tue, 19 Jun 2018 14:57:48 -0400
Subject: [PATCH 03/34] bump version
---
common.bash | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/common.bash b/common.bash
index bb76b27..312403c 100644
--- a/common.bash
+++ b/common.bash
@@ -2,4 +2,4 @@ registry="docker.io"
maintainer="tier"
basename="shibbidp_configbuilder_container"
imagename="shibbidp_configbuilder_container"
-version="0.2"
+version="0.3"
From 960f03473cdc76257653408201fd7d44fdbf366e Mon Sep 17 00:00:00 2001
From: Paul Caskey <pcaskey@internet2.edu>
Date: Fri, 6 Jul 2018 12:32:10 -0400
Subject: [PATCH 04/34] add windows Dockerfile template
---
configBuilder.sh | 15 ++++++++++++++-
1 file changed, 14 insertions(+), 1 deletion(-)
diff --git a/configBuilder.sh b/configBuilder.sh
index 4ee1f26..bd02fd7 100755
--- a/configBuilder.sh
+++ b/configBuilder.sh
@@ -584,7 +584,20 @@ sed "s#keystorePass=\"password\"#keystorePass=\"${STOREPWD}\"#" ${TOMCFG}/server
#
# copy Dockerfile template
#
-cp /Dockerfile.template ${PWD}/Dockerfile
+case "$BUILD_ENV" in
+LINUX | linux)
+ echo "Generating Dockerfile for a Linux container"
+ cp /Dockerfile.template ${PWD}/Dockerfile
+ ;;
+WINDOWS | windows)
+ echo "Generating Dockerfile for a Windows container"
+ cp /Dockerfile.windows.template ${PWD}/Dockerfile
+ ;;
+*)
+ echo "Environment variable BUILD_ENV was not found or had an incorrect value (only LINUX|WINDOWS is supported). Terminating."
+ exit 1
+ ;;
+esac
# if the user chose to use secrets, then generate a directory containing the config with secrets removed
From fbc06e3cb2f33c0062406c5024d99479d83b95d5 Mon Sep 17 00:00:00 2001
From: Paul Caskey <pcaskey@internet2.edu>
Date: Fri, 6 Jul 2018 13:00:05 -0400
Subject: [PATCH 05/34] add template file
---
Dockerfile.windows.template | 39 +++++++++++++++++++++++++++++++++++++
1 file changed, 39 insertions(+)
create mode 100644 Dockerfile.windows.template
diff --git a/Dockerfile.windows.template b/Dockerfile.windows.template
new file mode 100644
index 0000000..3cf01a7
--- /dev/null
+++ b/Dockerfile.windows.template
@@ -0,0 +1,39 @@
+FROM tier/shibbidp_novm_windows:latest
+
+#params for supplying your IdP config to your container (can be overridden at build-time using build-args)
+ARG TOMCFG=config\\tomcat
+ARG TOMLOG=logs\\tomcat
+ARG TOMCERT=credentials\\tomcat
+ARG TOMWWWROOT=wwwroot
+ARG SHBCFG=config\\shib-idp\\conf
+ARG SHBCREDS=credentials\\shib-idp
+ARG SHBVIEWS=config\\shib-idp\\views
+ARG SHBEDWAPP=config\\shib-idp\\edit-webapp
+ARG SHBMSGS=config\\shib-idp\\messages
+ARG SHBMD=config\\shib-idp\\metadata
+ARG SHBLOG=logs\\shib-idp
+
+#ADD $TOMCFG c:\\Tomcat\\conf
+#ADD $TOMCERT c:\\sslcert
+#ADD $TOMWWWROOT c:\\Tomcat\\webapps\\ROOT
+#ADD $SHBCFG c:\\opt\\shibboleth-idp\\conf
+#ADD $SHBCREDS c:\\opt\\shibboleth-idp\\credentials
+#ADD $SHBVIEWS c:\\opt\\shibboleth-idp\\views
+#ADD $SHBEDWAPP c:\\opt\\shibboleth-idp\\edit-webapp
+#ADD $SHBMSGS c:\\opt\\shibboleth-idp\\messages
+#ADD $SHBMD c:\\opt\\shibboleth-idp\\metadata
+
+# Uncomment if using secrets; removes existing files from the container so that secrets can propagate (issue with Windows containers)
+# RUN del c:\opt\shibboleth-idp\conf\idp.properties
+# RUN del c:\opt\shibboleth-idp\conf\ldap.properties
+# RUN del c:\opt\shibboleth-idp\conf\relying-party.xml
+# RUN del c:\opt\shibboleth-idp\conf\attribute-filter.xml
+# RUN del c:\opt\shibboleth-idp\conf\attribute-resolver.xml
+# RUN del c:\opt\shibboleth-idp\conf\metadata-providers.xml
+# RUN del c:\opt\shibboleth-idp\credentials\idp-signing.key
+# RUN del c:\opt\shibboleth-idp\credentials\idp-signing.crt
+# RUN del c:\opt\shibboleth-idp\credentials\idp-encryption.key
+# RUN del c:\opt\shibboleth-idp\credentials\idp-encryption.crt
+# RUN del c:\opt\shibboleth-idp\credentials\sealer.jks
+# RUN del c:\opt\shibboleth-idp\credentials\sealer.kver
+
From e9d066e111b8ef15f2565fe71b15e52cf8d6c404 Mon Sep 17 00:00:00 2001
From: Paul Caskey <pcaskey@internet2.edu>
Date: Fri, 6 Jul 2018 13:02:01 -0400
Subject: [PATCH 06/34] fix Dockerfile
---
Dockerfile | 1 +
1 file changed, 1 insertion(+)
diff --git a/Dockerfile b/Dockerfile
index bab0ad5..f82998d 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -24,6 +24,7 @@ RUN rpm --import http://repos.azulsystems.com/RPM-GPG-KEY-azulsystems \
RUN mkdir -p /output && mkdir -p /scriptrun
COPY configBuilder.sh /scriptrun
COPY Dockerfile.template /
+COPY Dockerfile.windows.template /
RUN chmod 755 /scriptrun/configBuilder.sh
CMD /scriptrun/configBuilder.sh
From f3f24e751c4fba08793faa467e566dca539a4bb7 Mon Sep 17 00:00:00 2001
From: Paul Caskey <pcaskey@internet2.edu>
Date: Fri, 6 Jul 2018 15:06:25 -0400
Subject: [PATCH 07/34] mod to windows dockerfile template
---
Dockerfile.windows.template | 18 +++++++++---------
1 file changed, 9 insertions(+), 9 deletions(-)
diff --git a/Dockerfile.windows.template b/Dockerfile.windows.template
index 3cf01a7..ee81a36 100644
--- a/Dockerfile.windows.template
+++ b/Dockerfile.windows.template
@@ -13,15 +13,15 @@ ARG SHBMSGS=config\\shib-idp\\messages
ARG SHBMD=config\\shib-idp\\metadata
ARG SHBLOG=logs\\shib-idp
-#ADD $TOMCFG c:\\Tomcat\\conf
-#ADD $TOMCERT c:\\sslcert
-#ADD $TOMWWWROOT c:\\Tomcat\\webapps\\ROOT
-#ADD $SHBCFG c:\\opt\\shibboleth-idp\\conf
-#ADD $SHBCREDS c:\\opt\\shibboleth-idp\\credentials
-#ADD $SHBVIEWS c:\\opt\\shibboleth-idp\\views
-#ADD $SHBEDWAPP c:\\opt\\shibboleth-idp\\edit-webapp
-#ADD $SHBMSGS c:\\opt\\shibboleth-idp\\messages
-#ADD $SHBMD c:\\opt\\shibboleth-idp\\metadata
+ADD $TOMCFG c:\\Tomcat\\conf
+ADD $TOMCERT c:\\sslcert
+ADD $TOMWWWROOT c:\\Tomcat\\webapps\\ROOT
+ADD $SHBCFG c:\\opt\\shibboleth-idp\\conf
+ADD $SHBCREDS c:\\opt\\shibboleth-idp\\credentials
+ADD $SHBVIEWS c:\\opt\\shibboleth-idp\\views
+ADD $SHBEDWAPP c:\\opt\\shibboleth-idp\\edit-webapp
+ADD $SHBMSGS c:\\opt\\shibboleth-idp\\messages
+ADD $SHBMD c:\\opt\\shibboleth-idp\\metadata
# Uncomment if using secrets; removes existing files from the container so that secrets can propagate (issue with Windows containers)
# RUN del c:\opt\shibboleth-idp\conf\idp.properties
From acb954763c8315711ed2be79412d2a226439d954 Mon Sep 17 00:00:00 2001
From: Paul Caskey <pcaskey@internet2.edu>
Date: Tue, 10 Jul 2018 13:22:37 -0500
Subject: [PATCH 08/34] Update Dockerfile.windows.template
---
Dockerfile.windows.template | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Dockerfile.windows.template b/Dockerfile.windows.template
index ee81a36..3ac39dd 100644
--- a/Dockerfile.windows.template
+++ b/Dockerfile.windows.template
@@ -14,7 +14,7 @@ ARG SHBMD=config\\shib-idp\\metadata
ARG SHBLOG=logs\\shib-idp
ADD $TOMCFG c:\\Tomcat\\conf
-ADD $TOMCERT c:\\sslcert
+ADD $TOMCERT c:\\opt\\certs
ADD $TOMWWWROOT c:\\Tomcat\\webapps\\ROOT
ADD $SHBCFG c:\\opt\\shibboleth-idp\\conf
ADD $SHBCREDS c:\\opt\\shibboleth-idp\\credentials
From fafe98bbd2e3ac46159e46e056467de38434f66a Mon Sep 17 00:00:00 2001
From: Paul Caskey <pcaskey@internet2.edu>
Date: Wed, 10 Oct 2018 16:05:18 -0400
Subject: [PATCH 09/34] switch the 3.4release config
---
configBuilder.sh | 16 ++++++++--------
1 file changed, 8 insertions(+), 8 deletions(-)
diff --git a/configBuilder.sh b/configBuilder.sh
index bd02fd7..27f257e 100755
--- a/configBuilder.sh
+++ b/configBuilder.sh
@@ -7,9 +7,9 @@ cd /scriptrun
# script config items
-SHB_CFG_URL=https://github.internet2.edu/docker/shib-idp-conftree/archive/3.3release.zip
+SHB_CFG_URL=https://github.internet2.edu/docker/shib-idp-conftree/archive/3.4release.zip
TOM_CFG_URL=https://github.internet2.edu/docker/shib-idp-tomcat-config/archive/master.zip
-TMP_DIR_S=/tmp/3.3release
+TMP_DIR_S=/tmp/3.4release
TMP_DIR_T=/tmp/tomcfg
TMP_DIR_D=/tmp/buildfiles
#LINUX_BUILD_FILES_URL=https://github.internet2.edu/docker/shib-idp/archive/master.zip
@@ -116,12 +116,12 @@ unzip -o -d ${TMP_DIR_T} ${TMP_DIR_T}.zip > /dev/null 2>&1
################################################################################
### cp relevant folders from expanded zip to appropriate locations at $PWD/* ###
################################################################################
-cp -rf ${TMP_DIR_S}/shib-idp-conftree-3.3release/conf/* ${SHBCFG}
-cp -rf ${TMP_DIR_S}/shib-idp-conftree-3.3release/views/* ${SHBVIEWS}
-cp -rf ${TMP_DIR_S}/shib-idp-conftree-3.3release/edit-webapp/* ${SHBEDWAPP}
-cp -rf ${TMP_DIR_S}/shib-idp-conftree-3.3release/messages/* ${SHBMSGS}
-cp -rf ${TMP_DIR_S}/shib-idp-conftree-3.3release/metadata/* ${SHBMD}
-cp -rf ${TMP_DIR_S}/shib-idp-conftree-3.3release/credentials/* ${SHBCREDS}
+cp -rf ${TMP_DIR_S}/shib-idp-conftree-3.4release/conf/* ${SHBCFG}
+cp -rf ${TMP_DIR_S}/shib-idp-conftree-3.4release/views/* ${SHBVIEWS}
+cp -rf ${TMP_DIR_S}/shib-idp-conftree-3.4release/edit-webapp/* ${SHBEDWAPP}
+cp -rf ${TMP_DIR_S}/shib-idp-conftree-3.4release/messages/* ${SHBMSGS}
+cp -rf ${TMP_DIR_S}/shib-idp-conftree-3.4release/metadata/* ${SHBMD}
+cp -rf ${TMP_DIR_S}/shib-idp-conftree-3.4release/credentials/* ${SHBCREDS}
cp -rf ${TMP_DIR_T}/shib-idp-tomcat-config-master/conf/* ${TOMCFG}
cp -rf ${TMP_DIR_T}/shib-idp-tomcat-config-master/wwwroot/* ${TOMWWWROOT}
From f8ca077dc5c3f47f2684555c8160dca345e42377 Mon Sep 17 00:00:00 2001
From: Paul Caskey <pcaskey@internet2.edu>
Date: Mon, 12 Nov 2018 06:56:57 -0600
Subject: [PATCH 10/34] Update README.md
---
README.md | 9 +++------
1 file changed, 3 insertions(+), 6 deletions(-)
diff --git a/README.md b/README.md
index c923a78..440739d 100644
--- a/README.md
+++ b/README.md
@@ -8,15 +8,12 @@ The result is a set of files and directories containing everything needed to bui
Once the files have been written to your directory, the container terminates and can be deleted.
-Build this container like this:
-docker build -t tierconfigbuilder .
-
-Run the container like this:
-docker run --interactive --tty -v $PWD:/output -e "BUILD_ENV=LINUX" tier/shibbidp_configbuilder_container
+You can run the container directly from teh docker hub like this:
+docker run -it -v $PWD:/output -e "BUILD_ENV=LINUX" tier/shibbidp_configbuilder_container
-OR, for a Windows container, like this-
-docker run --interactive --tty -v $PWD:/output -e "BUILD_ENV=WINDOWS" tier/shibbidp_configbuilder_container
+docker run -it -v $PWD:/output -e "BUILD_ENV=WINDOWS" tier/shibbidp_configbuilder_container
After answering the questions in the configBuilder, your config will be written to several files and directories in the directory you mounted in the 'docker run' command above. The output defaults to placing certain IdP config files into a 'SECRETS' folder at the root to a) remove them from the rest of the config files so that b) the remaining config files can be easily burned into the container.
From a746b6b5e559fa4087b05ceb9b48fe00c172b918 Mon Sep 17 00:00:00 2001
From: Paul Caskey <pcaskey@internet2.edu>
Date: Mon, 12 Nov 2018 06:57:19 -0600
Subject: [PATCH 11/34] Update README.md
---
README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README.md b/README.md
index 440739d..e30b3c2 100644
--- a/README.md
+++ b/README.md
@@ -8,7 +8,7 @@ The result is a set of files and directories containing everything needed to bui
Once the files have been written to your directory, the container terminates and can be deleted.
-You can run the container directly from teh docker hub like this:
+You can run the container directly from the docker hub like this:
docker run -it -v $PWD:/output -e "BUILD_ENV=LINUX" tier/shibbidp_configbuilder_container
-OR, for a Windows container, like this-
From 89898a019d1302a452dad3fcbdca0587ea600874 Mon Sep 17 00:00:00 2001
From: Paul Caskey <pcaskey@internet2.edu>
Date: Tue, 19 Feb 2019 14:13:22 -0600
Subject: [PATCH 12/34] switch dloads to curl for redirects
---
configBuilder.sh | 6 ++++--
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/configBuilder.sh b/configBuilder.sh
index 27f257e..ab9e652 100755
--- a/configBuilder.sh
+++ b/configBuilder.sh
@@ -103,8 +103,10 @@ mkdir -p config/shib-idp/metadata
##############################################################
#
echo "Downloading TIER default configs"
-wget -q -O ${TMP_DIR_S}.zip ${SHB_CFG_URL} > /dev/null
-wget -q -O ${TMP_DIR_T}.zip ${TOM_CFG_URL} > /dev/null
+#wget -q -O ${TMP_DIR_S}.zip ${SHB_CFG_URL} > /dev/null
+#wget -q -O ${TMP_DIR_T}.zip ${TOM_CFG_URL} > /dev/null
+curl -kLo ${TMP_DIR_S}.zip ${SHB_CFG_URL} > /dev/null
+curl -kLo ${TMP_DIR_T}.zip ${TOM_CFG_URL} > /dev/null
######################
From 6cc3b0d61a77b42e5753bb1c98176f3a5b4bb3b9 Mon Sep 17 00:00:00 2001
From: Paul Caskey <pcaskey@internet2.edu>
Date: Fri, 19 Apr 2019 13:31:42 -0500
Subject: [PATCH 13/34] Update Dockerfile.windows.template
---
Dockerfile.windows.template | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Dockerfile.windows.template b/Dockerfile.windows.template
index 3ac39dd..7efa140 100644
--- a/Dockerfile.windows.template
+++ b/Dockerfile.windows.template
@@ -1,4 +1,4 @@
-FROM tier/shibbidp_novm_windows:latest
+FROM tier/shib-idp-windows:latest
#params for supplying your IdP config to your container (can be overridden at build-time using build-args)
ARG TOMCFG=config\\tomcat
From 224c9aea4299fce2f72f156861f291534cc5ee9d Mon Sep 17 00:00:00 2001
From: Paul Caskey <pcaskey@internet2.edu>
Date: Mon, 7 Oct 2019 21:11:36 +0000
Subject: [PATCH 14/34] change config url
---
Dockerfile | 27 +++++++++++++++++++++------
common.bash | 2 +-
configBuilder.sh | 28 ++++++++++++++--------------
corretto-signing-key.pub | 21 +++++++++++++++++++++
4 files changed, 57 insertions(+), 21 deletions(-)
create mode 100644 corretto-signing-key.pub
diff --git a/Dockerfile b/Dockerfile
index f82998d..053089f 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,17 +1,32 @@
-FROM centos:latest
+FROM centos:centos7
# Install needed utils
RUN rm -fr /var/cache/yum/* && yum clean all && yum -y install --setopt=tsflags=nodocs epel-release && \
yum -y install wget zip unzip rsync openssl && \
yum -y clean all
-#download/install Java
-ENV JAVA_HOME /usr
+# Install Corretto Java JDK
+#Corretto download page: https://docs.aws.amazon.com/corretto/latest/corretto-8-ug/downloads-list.html
+ARG CORRETTO_RPM=java-1.8.0-amazon-corretto-devel-1.8.0_222.b10-1.x86_64.rpm
+ARG CORRETTO_URL_BASE=https://d3pxv6yz143wms.cloudfront.net/8.222.10.1
+COPY corretto-signing-key.pub .
+RUN curl -O $CORRETTO_URL_BASE/$CORRETTO_RPM \
+ && rpm --import corretto-signing-key.pub \
+ && rpm -K $CORRETTO_RPM \
+ && rpm -i $CORRETTO_RPM \
+ && rm -r corretto-signing-key.pub $CORRETTO_RPM
+ENV JAVA_HOME=/usr/lib/jvm/java-1.8.0-amazon-corretto
+
+
+
+
+#download/install Azul Java
+#ENV JAVA_HOME /usr
# Install Zulu Java
-RUN rpm --import http://repos.azulsystems.com/RPM-GPG-KEY-azulsystems \
- && curl -o /etc/yum.repos.d/zulu.repo http://repos.azulsystems.com/rhel/zulu.repo \
- && yum -y install zulu-8 && alternatives --install /usr/bin/java java $JAVA_HOME/bin/java 200000
+#RUN rpm --import http://repos.azulsystems.com/RPM-GPG-KEY-azulsystems \
+# && curl -o /etc/yum.repos.d/zulu.repo http://repos.azulsystems.com/rhel/zulu.repo \
+# && yum -y install zulu-8 && alternatives --install /usr/bin/java java $JAVA_HOME/bin/java 200000
#RUN wget -nv --no-cookies --no-check-certificate "http://javadl.oracle.com/webapps/download/AutoDL?BundleId=233161_512cd62ec5174c3487ac17c61aaa89e8" -O /tmp/jre-8u171-linux-x64.rpm && \
# yum -y install /tmp/jre-8u171-linux-x64.rpm && \
diff --git a/common.bash b/common.bash
index 312403c..314d47a 100644
--- a/common.bash
+++ b/common.bash
@@ -2,4 +2,4 @@ registry="docker.io"
maintainer="tier"
basename="shibbidp_configbuilder_container"
imagename="shibbidp_configbuilder_container"
-version="0.3"
+version="0.4"
diff --git a/configBuilder.sh b/configBuilder.sh
index ab9e652..854e95e 100755
--- a/configBuilder.sh
+++ b/configBuilder.sh
@@ -7,9 +7,9 @@ cd /scriptrun
# script config items
-SHB_CFG_URL=https://github.internet2.edu/docker/shib-idp-conftree/archive/3.4release.zip
+SHB_CFG_URL=https://github.internet2.edu/docker/shib-idp-conftree/archive/3.4-InCommon.zip
TOM_CFG_URL=https://github.internet2.edu/docker/shib-idp-tomcat-config/archive/master.zip
-TMP_DIR_S=/tmp/3.4release
+TMP_DIR_S=/tmp/3.4-InCommon
TMP_DIR_T=/tmp/tomcfg
TMP_DIR_D=/tmp/buildfiles
#LINUX_BUILD_FILES_URL=https://github.internet2.edu/docker/shib-idp/archive/master.zip
@@ -118,12 +118,12 @@ unzip -o -d ${TMP_DIR_T} ${TMP_DIR_T}.zip > /dev/null 2>&1
################################################################################
### cp relevant folders from expanded zip to appropriate locations at $PWD/* ###
################################################################################
-cp -rf ${TMP_DIR_S}/shib-idp-conftree-3.4release/conf/* ${SHBCFG}
-cp -rf ${TMP_DIR_S}/shib-idp-conftree-3.4release/views/* ${SHBVIEWS}
-cp -rf ${TMP_DIR_S}/shib-idp-conftree-3.4release/edit-webapp/* ${SHBEDWAPP}
-cp -rf ${TMP_DIR_S}/shib-idp-conftree-3.4release/messages/* ${SHBMSGS}
-cp -rf ${TMP_DIR_S}/shib-idp-conftree-3.4release/metadata/* ${SHBMD}
-cp -rf ${TMP_DIR_S}/shib-idp-conftree-3.4release/credentials/* ${SHBCREDS}
+cp -rf ${TMP_DIR_S}/shib-idp-conftree-3.4-InCommon/conf/* ${SHBCFG}
+cp -rf ${TMP_DIR_S}/shib-idp-conftree-3.4-InCommon/views/* ${SHBVIEWS}
+cp -rf ${TMP_DIR_S}/shib-idp-conftree-3.4-InCommon/edit-webapp/* ${SHBEDWAPP}
+cp -rf ${TMP_DIR_S}/shib-idp-conftree-3.4-InCommon/messages/* ${SHBMSGS}
+cp -rf ${TMP_DIR_S}/shib-idp-conftree-3.4-InCommon/metadata/* ${SHBMD}
+cp -rf ${TMP_DIR_S}/shib-idp-conftree-3.4-InCommon/credentials/* ${SHBCREDS}
cp -rf ${TMP_DIR_T}/shib-idp-tomcat-config-master/conf/* ${TOMCFG}
cp -rf ${TMP_DIR_T}/shib-idp-tomcat-config-master/wwwroot/* ${TOMWWWROOT}
@@ -500,8 +500,8 @@ if test \! -f ${IDP_PROP}.dist; then
fi
sed "s/example.org\/idp\/shibboleth/${FQDN}\/idp\/shibboleth/" ${IDP_PROP}.dist > ${IDP_PROP}.tmp
-sed "s/= example.org/= ${SCOPE}/" ${IDP_PROP}.tmp > ${IDP_PROP}.tmp2
-sed "s#Password= changeit#Password= ${SEALERPWD}#" ${IDP_PROP}.tmp2 > ${IDP_PROP}
+sed "s/=example.org/=${SCOPE}/" ${IDP_PROP}.tmp > ${IDP_PROP}.tmp2
+sed "s#Password=changeit#Password=${SEALERPWD}#" ${IDP_PROP}.tmp2 > ${IDP_PROP}
rm -f ${IDP_PROP}.tmp
rm -f ${IDP_PROP}.tmp2
#
@@ -513,7 +513,7 @@ if test \! -f ${LDAP_PROP}.dist; then
fi
sed "s/#idp.authn.LDAP.authenticator/idp.authn.LDAP.authenticator/" ${LDAP_PROP}.dist > ${LDAP_PROP}.tmp
-sed "s/= anonSearchAuthenticator/= bindSearchAuthenticator/" ${LDAP_PROP}.tmp > ${LDAP_PROP}.tmp2
+sed "s/=anonSearchAuthenticator/=bindSearchAuthenticator/" ${LDAP_PROP}.tmp > ${LDAP_PROP}.tmp2
sed "s#ldap://localhost:10389#${LDAPURL}#" ${LDAP_PROP}.tmp2 > ${LDAP_PROP}.tmp3
sed "s#uid=myservice,ou=system#${LDAPDN}#" ${LDAP_PROP}.tmp3 > ${LDAP_PROP}.tmp4
sed "s#myServicePassword#${LDAPPWD}#" ${LDAP_PROP}.tmp4 > ${LDAP_PROP}.tmp5
@@ -761,9 +761,9 @@ rm -f ${TMP_DIR_T}.zip
rm -rf ${TMP_DIR_T}/*
rmdir ${TMP_DIR_T}
-rm -f ${TMP_DIR_D}.zip
-rm -rf ${TMP_DIR_D}/*
-rmdir ${TMP_DIR_D}
+#rm -f ${TMP_DIR_D}.zip
+#rm -rf ${TMP_DIR_D}/*
+#rmdir ${TMP_DIR_D}
#copy config to output directory
diff --git a/corretto-signing-key.pub b/corretto-signing-key.pub
new file mode 100644
index 0000000..a41b926
--- /dev/null
+++ b/corretto-signing-key.pub
@@ -0,0 +1,21 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v2.0.22 (GNU/Linux)
+
+mQENBF0uBDoBCACvZR8N0drCT+9XmesLbldPf8X9wGHf96dw6ZDnSBypMNVZp9o4
+u1VUJ6YKjnbs9pyWmgiA+XcxKlZUyqNzT+LIoEDJJXE47YKks1ThltQ9R7Vwjsvb
+9fUWxrITDbPpy5EbZuWOf2l2dPdHJxOkQnf1xTUnkcHob9IwycKXdvCduKW1KbT7
+ODKN7ZYEfENj63D6eFmgWG7dVV7JvVXJMl6aDHUBCPteS+VTbghx78N1YvVpb4V0
+Hnp/LQMbz1gnKLjMUKw4PcZoRrYmEmQlWOWOFPspepLnb06wWO9lWEkIsngFiA3C
+oLxDUI8Oo67tKg/0hN2RsqWFBSSKa/F6Wc11ABEBAAG0UkFtYXpvbiBTZXJ2aWNl
+cyBMTEMgKEFtYXpvbiBDb3JyZXRvIDguMjIyLjEwLjMgcmVsZWFzZSkgPGNvcnJl
+dHRvLXRlYW1AYW1hem9uLmNvbT6JAT8EEwECACkFAl0uBDoCGy8FCQlmAYAHCwkI
+BwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRC9k98GtUDWKiqjB/wMzhyE+Fm7DXU6
+koYGHyjY9AtPNDSR9uxXT1PvCjz/Gz12x/kjMz8dOjFwI3qOJhHFmYmjLX7Xb2ZR
+1di3/AyCmCWNdxh6X9JOMFBASlcRjKQk5ha69DO4CT1cg9+VSDpvYW+01ha5VC/q
+a29WFoL7G5UWWjGku0CXkn+JIRDCBboIumcldm1qoU5LUQVbYY7yqz5gsw+3nsbO
+rpEZPjpUGSlQ7IY7aWB4FB0kCQkT8d/mWbJ5/nacy3ib8ZnpIzvrVLO2v9IqBT9f
+Ul/8fdyXfYWjv9n2vE86mrYn9VtLI5umLeljgWDTWIqDV2Atn1wVD/g4M+vvQNCe
+vjspN4eD
+=q2VU
+-----END PGP PUBLIC KEY BLOCK-----
+
From 8ce017bee773ba8530bca4de1c8f79eadbaea6e3 Mon Sep 17 00:00:00 2001
From: Paul Caskey <pcaskey@internet2.edu>
Date: Mon, 7 Oct 2019 21:19:56 +0000
Subject: [PATCH 15/34] jenkins tweak
---
Jenkinsfile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Jenkinsfile b/Jenkinsfile
index a81c0d4..a2cf4d7 100644
--- a/Jenkinsfile
+++ b/Jenkinsfile
@@ -10,7 +10,7 @@ node {
dir('tmp'){
git([ url: "https://github.internet2.edu/docker/util.git",
credentialsId: "jenkins-github-access-token" ])
- sh 'mv ./bin/* ../bin/.'
+ sh 'mv -f ./bin/* ../bin/.'
}
sh 'rm -rf tmp'
From c3d03c932957c2b37dc525fc73460440df5304df Mon Sep 17 00:00:00 2001
From: Paul Caskey <pcaskey@internet2.edu>
Date: Mon, 7 Oct 2019 21:23:12 +0000
Subject: [PATCH 16/34] jenkins tweak
---
Jenkinsfile | 1 +
1 file changed, 1 insertion(+)
diff --git a/Jenkinsfile b/Jenkinsfile
index a2cf4d7..64d4325 100644
--- a/Jenkinsfile
+++ b/Jenkinsfile
@@ -10,6 +10,7 @@ node {
dir('tmp'){
git([ url: "https://github.internet2.edu/docker/util.git",
credentialsId: "jenkins-github-access-token" ])
+ sh 'rm -rf ./bin/windows/'
sh 'mv -f ./bin/* ../bin/.'
}
sh 'rm -rf tmp'
From 9f7dd5e00b2461dd77548708ded062694efd7f38 Mon Sep 17 00:00:00 2001
From: Paul Caskey <pcaskey@internet2.edu>
Date: Wed, 12 Feb 2020 03:03:50 +0000
Subject: [PATCH 17/34] changes for IdP 4.0
---
configBuilder.sh | 376 ++++++-----------------------------------------
1 file changed, 42 insertions(+), 334 deletions(-)
diff --git a/configBuilder.sh b/configBuilder.sh
index 854e95e..5989d1e 100755
--- a/configBuilder.sh
+++ b/configBuilder.sh
@@ -7,18 +7,15 @@ cd /scriptrun
# script config items
-SHB_CFG_URL=https://github.internet2.edu/docker/shib-idp-conftree/archive/3.4-InCommon.zip
+SHB_CFG_URL=https://github.internet2.edu/docker/shib-idp-conftree/archive/4.0-InCommon.zip
TOM_CFG_URL=https://github.internet2.edu/docker/shib-idp-tomcat-config/archive/master.zip
-TMP_DIR_S=/tmp/3.4-InCommon
+TMP_DIR_S=/tmp/4.0-InCommon
TMP_DIR_T=/tmp/tomcfg
TMP_DIR_D=/tmp/buildfiles
-#LINUX_BUILD_FILES_URL=https://github.internet2.edu/docker/shib-idp/archive/master.zip
-#WINDOWS_BUILD_FILES_URL=https://github.internet2.edu/docker/ShibbIdP_noVM_Windows/archive/master.zip
# default directories
TOMCFG=config/tomcat
-#TOMLOG=logs/tomcat
TOMCERT=credentials/tomcat
TOMWWWROOT=wwwroot
SHBCFG=config/shib-idp/conf
@@ -27,7 +24,6 @@ SHBVIEWS=config/shib-idp/views
SHBEDWAPP=config/shib-idp/edit-webapp
SHBMSGS=config/shib-idp/messages
SHBMD=config/shib-idp/metadata
-#SHBLOG=logs/shib-idp
# logs
LOGFILE=${PWD}/setup.log
@@ -45,66 +41,21 @@ TIER_TESTBED=None
BURNMOUNT=None
USESECRETS=None
-
##################################
### ensure directory structure ###
##################################
mkdir -p config/tomcat
-#mkdir -p logs/tomcat
mkdir -p credentials/tomcat
mkdir -p wwwroot
mkdir -p config/shib-idp/conf
mkdir -p credentials/shib-idp
-mkdir -p config/shib-idp/views
-mkdir -p config/shib-idp/edit-webapp
-mkdir -p config/shib-idp/messages
mkdir -p config/shib-idp/metadata
-#mkdir -p logs/shib-idp
-
-
-###########################################################
-### grab the docker build files, depending on OS choice ###
-###########################################################
-## first, check for wget
-#command -v wget >/dev/null 2>&1 || { echo >&2 "ERROR: wget is required, but doesn't appear to be installed. Aborting..."; exit 1; }
-#
-#
-#case "$BUILD_ENV" in
-#LINUX | linux)
-# echo "Getting build files for a Linux container"
-# wget -q -O ${TMP_DIR_D}.zip ${LINUX_BUILD_FILES_URL} > /dev/null
-# unzip -o -d ${TMP_DIR_D} ${TMP_DIR_D}.zip > /dev/null 2>&1
-# cp -rf ${TMP_DIR_D}/shib-idp-master/* /output
-# ;;
-#WINDOWS | windows)
-# echo "Getting build files for a Windows container"
-# wget -q -O ${TMP_DIR_D}.zip ${WINDOWS_BUILD_FILES_URL} > /dev/null
-# unzip -o -d ${TMP_DIR_D} ${TMP_DIR_D}.zip > /dev/null 2>&1
-# cp -rf ${TMP_DIR_D}/ShibbIdP_noVM_Windows-master/* /output
-# ;;
-#*)
-# echo "Environment variable BUILD_ENV was not found or had an incorrect value (only LINUX|WINDOWS is supported). Terminating."
-# exit 1
-# ;;
-#esac
-#
-#rm -f /output/configBuilder.sh > /dev/null 2>&1
-#rm -f /output/setup.log > /dev/null 2>&1
-#rm -f /output/README.md > /dev/null 2>&1
-#rm -rf /output/shib-idp-master/*
-#
-##grab copy of Dockerfile in working dir
-#cp -f /output/Dockerfile .
-##############################################################
-
##############################################################
### download default/TIER config for both shibb and tomcat ###
##############################################################
#
echo "Downloading TIER default configs"
-#wget -q -O ${TMP_DIR_S}.zip ${SHB_CFG_URL} > /dev/null
-#wget -q -O ${TMP_DIR_T}.zip ${TOM_CFG_URL} > /dev/null
curl -kLo ${TMP_DIR_S}.zip ${SHB_CFG_URL} > /dev/null
curl -kLo ${TMP_DIR_T}.zip ${TOM_CFG_URL} > /dev/null
@@ -115,15 +66,17 @@ curl -kLo ${TMP_DIR_T}.zip ${TOM_CFG_URL} > /dev/null
unzip -o -d ${TMP_DIR_S} ${TMP_DIR_S}.zip > /dev/null 2>&1
unzip -o -d ${TMP_DIR_T} ${TMP_DIR_T}.zip > /dev/null 2>&1
+
################################################################################
### cp relevant folders from expanded zip to appropriate locations at $PWD/* ###
################################################################################
-cp -rf ${TMP_DIR_S}/shib-idp-conftree-3.4-InCommon/conf/* ${SHBCFG}
-cp -rf ${TMP_DIR_S}/shib-idp-conftree-3.4-InCommon/views/* ${SHBVIEWS}
-cp -rf ${TMP_DIR_S}/shib-idp-conftree-3.4-InCommon/edit-webapp/* ${SHBEDWAPP}
-cp -rf ${TMP_DIR_S}/shib-idp-conftree-3.4-InCommon/messages/* ${SHBMSGS}
-cp -rf ${TMP_DIR_S}/shib-idp-conftree-3.4-InCommon/metadata/* ${SHBMD}
-cp -rf ${TMP_DIR_S}/shib-idp-conftree-3.4-InCommon/credentials/* ${SHBCREDS}
+#
+cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.0-InCommon/conf/idp.properties ${SHBCFG}
+cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.0-InCommon/conf/ldap.properties ${SHBCFG}
+cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.0-InCommon/conf/metadata-providers.xml ${SHBCFG}
+cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.0-InCommon/conf/attribute-resolver.xml ${SHBCFG}
+cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.0-InCommon/conf/attribute-filter.xml ${SHBCFG}
+cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.0-InCommon/credentials/inc-md-cert-mdq.pem ${SHBCREDS}
cp -rf ${TMP_DIR_T}/shib-idp-tomcat-config-master/conf/* ${TOMCFG}
cp -rf ${TMP_DIR_T}/shib-idp-tomcat-config-master/wwwroot/* ${TOMWWWROOT}
@@ -131,45 +84,6 @@ cp -rf ${TMP_DIR_T}/shib-idp-tomcat-config-master/wwwroot/* ${TOMWWWROOT}
#####################################################
### ask setup questions to aid in config building ###
#####################################################
-#
-# Get Oracle license agreement from the user
-#
-#echo ""
-#echo "The Shibboleth IdP requires that you use Oracle Java. The Docker container "
-#echo "should be configured to download it for you as part of the Docker image build "
-#echo "process, but, before we proceed, you must agree to the Oracle Binary Code "
-#echo "License Agreement for Java SE (\"Oracle License\"). Please review:"
-#echo ""
-#echo " http://www.oracle.com/technetwork/java/javase/terms/license/index.html"
-#echo ""
-#echo "By agreeing to the Oracle License, you acknowledge that Internet2 is not"
-#echo "distributing the Java software and, to the extent an issue arises"
-#echo "related to your use of Oracle Java in the TIER software package, you and"
-#echo "Internet2 agree to hold each other harmless from any third party claims."
-#echo ""${PWD}
-#
-#while [ ${ORACLE_JAVA_APPROVAL} == "None" ]; do
-# echo -n "Do you agree to the terms of the Oracle license [Yes/No]? "
-# read response
-# case $response in
-# Yes)
-# ORACLE_JAVA_APPROVAL=$response
-# ;;
-# No)
-# ORACLE_JAVA_APPROVAL=$response
-# ;;
-# *)
-# echo "Please respond with Yes or No"
-# esac
-#done
-#if [ ${ORACLE_JAVA_APPROVAL} != "Yes" ]; then
-# echo ""
-# echo "In order to use this implementation of the Shibboleth IdP, you must"
-# echo "use Oracle Java and thus agree to the terms of the Oracle license."
-# exit 0
-#fi
-
-
#
# Get the FQDN of the server
#
@@ -275,7 +189,6 @@ while [ ${LDAPBASEDN} == "None" ]; do
;;
esac
done
-#echo "LDAP Base DN is: $LDAPBASEDN"
#
# Get the LDAP DN for this deployment
@@ -302,7 +215,6 @@ while [ ${LDAPDN} == "None" ]; do
;;
esac
done
-#echo "LDAP DN is: $LDAPDN"
#
# Get the LDAP PWD for this deployment
@@ -331,50 +243,11 @@ while [ ${LDAPPWD} == "None" ]; do
done
-#######################
-## ask about secrets ##
-#######################
-cat << EOF
-
-
-***********************************************************************************
-***********************************************************************************
- ==> The next question deals with the use of 'secrets' in your container.
-
-Secrets are files that contain senstivie information such as passwords or keys. The following files are considered 'secrets':
-idp.properties
-ldap.properties
-attribute-resolver.xml
-attribute-filter.xml
-relying-party.xml
-metadata-providers.xml
-idp-signing.key
-idp-signing.crt
-idp-encryption.key
-idp-encryption.crt
-sealer.jks
-sealer.kver
-keystore.jks (Tomcat SSL)
-
-If you answer yes/y to this question, the files listed above will be removed from the directories containing the other configuration files (intended to be burned into the container), and placed into a folder named 'SECRETS'. You can then use these files with your container orchestration system to overlay the relevant files in your running containers.
-
-If you answer no/n to this question, your configuration (intended to be burned into the container) will contain all config files, including those with sensitive information.
-EOF
-while [ ${USESECRETS} == "None" ]; do
- echo -n "Would you like to isolate "secrets" from your generated Shibb IdP configuration? "
- read yesno
- case $yesno in
- Yes|yes|Y|y)
- USESECRETS=YES
- BURNMOUNT=hybrid
- ;;
- No|no|N|n)
- USESECRETS=NO
- BURNMOUNT=burn
- ;;
- esac
-done
-
+#######################################
+## support for secrets is deprecated ##
+#######################################
+USESECRETS=NO
+BURNMOUNT=burn
############################################################
@@ -499,11 +372,9 @@ if test \! -f ${IDP_PROP}.dist; then
cp ${IDP_PROP} ${IDP_PROP}.dist
fi
-sed "s/example.org\/idp\/shibboleth/${FQDN}\/idp\/shibboleth/" ${IDP_PROP}.dist > ${IDP_PROP}.tmp
-sed "s/=example.org/=${SCOPE}/" ${IDP_PROP}.tmp > ${IDP_PROP}.tmp2
-sed "s#Password=changeit#Password=${SEALERPWD}#" ${IDP_PROP}.tmp2 > ${IDP_PROP}
+sed "s/idp.example.org\/idp\/shibboleth/${FQDN}\/idp\/shibboleth/" ${IDP_PROP}.dist > ${IDP_PROP}.tmp
+sed "s/=example.org/=${SCOPE}/" ${IDP_PROP}.tmp > ${IDP_PROP}
rm -f ${IDP_PROP}.tmp
-rm -f ${IDP_PROP}.tmp2
#
# set ldap URL, baseDN, svcDN, pwd in ldap.properties
@@ -513,64 +384,36 @@ if test \! -f ${LDAP_PROP}.dist; then
fi
sed "s/#idp.authn.LDAP.authenticator/idp.authn.LDAP.authenticator/" ${LDAP_PROP}.dist > ${LDAP_PROP}.tmp
-sed "s/=anonSearchAuthenticator/=bindSearchAuthenticator/" ${LDAP_PROP}.tmp > ${LDAP_PROP}.tmp2
+sed "s/= anonSearchAuthenticator/= bindSearchAuthenticator/" ${LDAP_PROP}.tmp > ${LDAP_PROP}.tmp2
sed "s#ldap://localhost:10389#${LDAPURL}#" ${LDAP_PROP}.tmp2 > ${LDAP_PROP}.tmp3
sed "s#uid=myservice,ou=system#${LDAPDN}#" ${LDAP_PROP}.tmp3 > ${LDAP_PROP}.tmp4
-sed "s#myServicePassword#${LDAPPWD}#" ${LDAP_PROP}.tmp4 > ${LDAP_PROP}.tmp5
-sed "s#ou=people,dc=example,dc=org#${LDAPBASEDN}#" ${LDAP_PROP}.tmp5 > ${LDAP_PROP}
-
+sed "s#ou=people,dc=example,dc=org#${LDAPBASEDN}#" ${LDAP_PROP}.tmp4 > ${LDAP_PROP}
rm -f ${LDAP_PROP}.tmp
rm -f ${LDAP_PROP}.tmp2
rm -f ${LDAP_PROP}.tmp3
rm -f ${LDAP_PROP}.tmp4
-rm -f ${LDAP_PROP}.tmp5
-# adjust Dockerfile for java and for a burned-in config, if needed
-#
-#java first
-#if test \! -f Dockerfile.dist; then
-# cp Dockerfile Dockerfile.dist
-#fi
-#cat <<EOF > docker_edit.sed
-#s/^# ENV /ENV /
-#s/^# RUN /RUN /
-#s/^# yum/ yum/
-#s/^# rm/ rm/
-#s/^# alternatives/ alternatives/
-#s/^# http/ http/
-#s/^# \&\&/ \&\&/
-#EOF
-#rm -f Dockerfile
-#sed -f docker_edit.sed Dockerfile.dist > Dockerfile
-#rm -f docker_edit.sed
-
-#if [ ${BURNMOUNT} == "burn" ] || [ ${BURNMOUNT} == "hybrid" ]; then
-# echo "Configuring Docker for burned-in/hybrid configuration."
-#
-# mv -f Dockerfile Dockerfile.setup
-# cat <<EOF > docker_edit.sed
-#s/^## ADD /ADD /
-#/^VOLUME/,+10 s/^/#/
-#EOF
-# rm -f Dockerfile
-# sed -f docker_edit.sed Dockerfile.setup > Dockerfile
-# rm -f Dockerfile.setup
-# rm -f docker_edit.sed
-#
-#fi
-#if [ ${USESECRETS} == "YES" ] && [ ${BUILD_ENV} == "WINDOWS" ]; then
-# echo "Configuring Dockerfile for use of secrets in a Windows container."
-#
-# mv -f Dockerfile Dockerfile.setup
-# cat <<EOF > docker_edit.sed
-#s/^#!# RUN /RUN /
-#EOF
-# rm -f Dockerfile
-# sed -f docker_edit.sed Dockerfile.setup > Dockerfile
-# rm -f Dockerfile.setup
-# rm -f docker_edit.sed
-#fi
+#################################
+## generate secrets.properties ##
+#################################
+cat > ./${SHBCREDS}/secrets.properties << EOF
+# This is a reserved spot for most properties containing passwords or other secrets.
+# Created by install at $(date)
+
+# Access to internal AES encryption key
+idp.sealer.storePassword = ${SEALERPWD}
+idp.sealer.keyPassword = ${SEALERPWD}
+
+# Default access to LDAP authn and attribute stores.
+idp.authn.LDAP.bindDNCredential = ${LDAPPWD}
+idp.attribute.resolver.LDAP.bindDNCredential = %{idp.authn.LDAP.bindDNCredential:undefined}
+
+# Salt used to generate persistent/pairwise IDs, must be kept secret
+#idp.persistentId.salt = changethistosomethingrandom
+
+EOF
+
# configure SSL keystore password in tomcat's config file:
# conf/tomcat/server.xml replace: keystorePass="password"
@@ -603,32 +446,6 @@ esac
# if the user chose to use secrets, then generate a directory containing the config with secrets removed
-if [ ${USESECRETS} == "YES" ]; then
- echo ""
- echo "Creating sanitized config for use with secrets..."
- echo ""
- destPath=${PWD}
- mkdir -p ${destPath}/SECRETS
-
-# move secrets
- mv -f $destPath/config/shib-idp/conf/idp.properties $destPath/SECRETS/idp.properties > /dev/null
- mv -f $destPath/config/shib-idp/conf/ldap.properties $destPath/SECRETS/ldap.properties > /dev/null
- mv -f $destPath/credentials/shib-idp/sealer.jks $destPath/SECRETS/sealer.jks > /dev/null
- mv -f $destPath/credentials/shib-idp/sealer.kver $destPath/SECRETS/sealer.kver > /dev/null
- mv -f $destPath/credentials/shib-idp/idp-signing.key $destPath/SECRETS/idp-signing.key > /dev/null
- mv -f $destPath/credentials/shib-idp/idp-signing.crt $destPath/SECRETS/idp-signing.crt > /dev/null
- mv -f $destPath/credentials/shib-idp/idp-encryption.key $destPath/SECRETS/idp-encryption.key > /dev/null
- mv -f $destPath/credentials/shib-idp/idp-encryption.crt $destPath/SECRETS/idp-encryption.crt > /dev/null
- mv -f $destPath/credentials/tomcat/keystore.jks $destPath/SECRETS/keystore.jks > /dev/null
- mv -f $destPath/config/shib-idp/conf/relying-party.xml $destPath/SECRETS/relying-party.xml > /dev/null
- mv -f $destPath/config/shib-idp/conf/attribute-filter.xml $destPath/SECRETS/attribute-filter.xml > /dev/null
- mv -f $destPath/config/shib-idp/conf/attribute-resolver.xml $destPath/SECRETS/attribute-resolver.xml > /dev/null
- mv -f $destPath/config/shib-idp/conf/metadata-providers.xml $destPath/SECRETS/metadata-providers.xml > /dev/null
-
- echo ""
- echo "Your 'secrets' were removed from the main config and stored in the 'SECRETS' directory"
- echo ""
-fi
#copy files directly instead of zipping
mkdir -p /output-tmp
@@ -639,20 +456,6 @@ cp -Rf /output-tmp/* /output
rm -rf /output-tmp/*
rmdir /output-tmp
-
-#echo ""
-#echo "Archiving generated config..."
-#echo ""
-##ensure zip
-#command -v zip >/dev/null 2>&1 || { echo >&2 "ERROR: zip is required, but doesn't appear to be installed. Aborting..."; exit 1; }
-#FILENAME=./shib-idp-config_`date +%m%d%Y-%H%M%S`.zip
-#zip -r ${FILENAME} ./* > /dev/null
-
-#special for the special-purpose container
-#cp ${FILENAME} /output
-#zip -d /output/${FILENAME:2} "configBuilder.sh"
-#zip -d /output/${FILENAME:2} "Dockerfile"
-#zip -d /output/${FILENAME:2} "setup.log"
echo "wrote config to output location (typically PWD)"...
@@ -662,92 +465,9 @@ echo "wrote config to output location (typically PWD)"...
### notify user of next steps (docker build and docker run commands, based on burn/mount and chosen directory locations) ###
############################################################################################################################
echo ""
-echo "Your initial configuration has been successfully setup."
-echo ""
-echo ""
-if [ ${BURNMOUNT} == "burn" ]; then
- echo "Since you have elected to use a completely burned-in config, the steps for "
- echo " you to build and run a TIER Shibboleth-IdP container are below."
- echo "1. BUILD"
- echo " It will be necessary to specify where to find your config at build-time, "
- echo " so that it can be copied into the container."
- echo ""
- echo " If you are using the default config locations (used/created by the ConfigBuilder service), then the following command would be correct:"
- echo " docker build --rm -t my/shibb-idp-tier ."
- echo ""
- echo " If you have an existing config or otherwise need to supply non-default paths for your config bits, "
- echo " that can be done by overriding the default values in the build command like this "
- echo " (the values below are all the default values - modify as appropriate):"
- echo ""
- echo " docker build --rm -t my/shibb-idp-tier --build-arg TOMCFG=config/tomcat \\
- --build-arg TOMLOG=logs/tomcat \\
- --build-arg TOMCERT=credentials/tomcat \\
- --build-arg TOMWWWROOT=wwwroot \\
- --build-arg SHBCFG=config/shib-idp/conf \\
- --build-arg SHBCREDS=credentials/shib-idp \\
- --build-arg SHBVIEWS=config/shib-idp/views \\
- --build-arg SHBEDWAPP=config/shib-idp/edit-webapp \\
- --build-arg SHBMSGS=config/shib-idp/messages \\
- --build-arg SHBMD=config/shib-idp/metadata \\
- --build-arg SHBLOG=logs/shib-idp ."
- echo ""
- echo ""
- echo "2. RUN"
- echo ""
- echo " docker run -d --name shib-idp -p 443:443 my/shibb-idp-tier"
-elif [ ${BURNMOUNT} == "hybrid" ]; then
- echo "Since you have elected to use a hybrid config (with secrets), the steps for "
- echo " you to build and run a TIER Shibboleth-IdP container are below."
- echo "1. BUILD"
- echo " It will be necessary to specify where to find your config at build-time, but with a hybrid config, "
- echo " you'll want to point it to a set of config files that have no \"secrets\""
- echo ""
- echo "To do this, point an environment variable at the alternate location (created by this script):"
- echo " export ALTCFG=ConfigNoSecrets"
- echo ""
- echo " docker build --rm -t my/shibb-idp-tier --build-arg TOMCFG=${ALTCFG}/config/tomcat \\
- --build-arg TOMLOG=${ALTCFG}/logs/tomcat \\
- --build-arg TOMCERT=${ALTCFG}/credentials/tomcat \\
- --build-arg TOMWWWROOT=${ALTCFG}/wwwroot \\
- --build-arg SHBCFG=${ALTCFG}/config/shib-idp/conf \\
- --build-arg SHBCREDS=${ALTCFG}/credentials/shib-idp \\
- --build-arg SHBVIEWS=${ALTCFG}/config/shib-idp/views \\
- --build-arg SHBEDWAPP=${ALTCFG}/config/shib-idp/edit-webapp \\
- --build-arg SHBMSGS=${ALTCFG}/config/shib-idp/messages \\
- --build-arg SHBMD=${ALTCFG}/config/shib-idp/metadata \\
- --build-arg SHBLOG=${ALTCFG}/logs/shib-idp ."
- echo ""
- echo "Next, you would create the appropriate secrets/overlays in your container orchestration system and run the container. See documentation wiki for more info."
- echo ""
-else
- echo "Since you have elected to use a mounted config, the steps for "
- echo " you to build and run a TIER Shibboleth-IdP container are below."
- echo "BUILD"
- echo " You can build an image for a mounted config quite simply using a command like this:"
- echo " (optionally substitute any tag name (after -t) that is appropriate) "
- echo ""
- echo " docker build --rm -t my/shibb-idp-tier ."
- echo ""
- echo ""
- echo "RUN"
- echo " For a mounted config, you will need to supply your config locations at run-time, like this (assuming the default locations for the local config)."
- echo ""
- echo " docker run -d --name shib-test1 -p 443:443 -v ${PWD}/${TOMCFG}:/usr/local/tomcat/conf \\
- -v ${PWD}/${TOMWWWROOT}:/usr/local/tomcat/webapps/ROOT \\
- -v ${PWD}/${TOMLOG}:/usr/local/tomcat/logs \\
- -v ${PWD}/${TOMCERT}:/opt/certs \\
- -v ${PWD}/${SHBCFG}:/opt/shibboleth-idp/conf \\
- -v ${PWD}/${SHBCREDS}:/opt/shibboleth-idp/credentials \\
- -v ${PWD}/${SHBVIEWS}:/opt/shibboleth-idpviews \\
- -v ${PWD}/${SHBEDWAPP}:/opt/shibboleth-idp/edit-webapp \\
- -v ${PWD}/${SHBMSGS}:/opt/shibboleth-idp/messages \\
- -v ${PWD}/${SHBMD}:/opt/shibboleth-idp/metadata \\
- -v ${PWD}/${SHBLOG}:/opt/shibboleth-idp/logs \\
- my/shibb-idp-tier"
-
-
-fi
-
+echo "Your initial configuration has been successfully built."
+echo ""
+echo ""
#################################
@@ -761,19 +481,7 @@ rm -f ${TMP_DIR_T}.zip
rm -rf ${TMP_DIR_T}/*
rmdir ${TMP_DIR_T}
-#rm -f ${TMP_DIR_D}.zip
-#rm -rf ${TMP_DIR_D}/*
-#rmdir ${TMP_DIR_D}
-
-
-#copy config to output directory
-#cp -rfn config/. /output/config/
-#cp -rfn logs/. /output/logs/
-#cp -rfn credentials/. /output/credentials/
-#cp -rfn wwwroot/. /output/wwwroot/
#
-#echo config saved to ${FILENAME:2}
echo config saved to configured local directory
-#sleep 3
echo ""
echo ""
From f27bf4763a6d0b0c0051669a58e9a576bcb15a60 Mon Sep 17 00:00:00 2001
From: Paul Caskey <pcaskey@internet2.edu>
Date: Wed, 12 Feb 2020 05:42:53 +0000
Subject: [PATCH 18/34] minor cleanup
---
Dockerfile.template | 6 +++---
Dockerfile.windows.template | 6 +++---
common.bash | 2 +-
configBuilder.sh | 2 --
4 files changed, 7 insertions(+), 9 deletions(-)
diff --git a/Dockerfile.template b/Dockerfile.template
index d851db6..c5f74ab 100644
--- a/Dockerfile.template
+++ b/Dockerfile.template
@@ -17,9 +17,9 @@ ADD ${TOMCERT} /opt/certs
ADD ${TOMWWWROOT} /usr/local/tomcat/webapps/ROOT
ADD ${SHBCFG} /opt/shibboleth-idp/conf
ADD ${SHBCREDS} /opt/shibboleth-idp/credentials
-ADD ${SHBVIEWS} /opt/shibboleth-idp/views
-ADD ${SHBEDWAPP} /opt/shibboleth-idp/edit-webapp
-ADD ${SHBMSGS} /opt/shibboleth-idp/messages
+#ADD ${SHBVIEWS} /opt/shibboleth-idp/views
+#ADD ${SHBEDWAPP} /opt/shibboleth-idp/edit-webapp
+#ADD ${SHBMSGS} /opt/shibboleth-idp/messages
ADD ${SHBMD} /opt/shibboleth-idp/metadata
diff --git a/Dockerfile.windows.template b/Dockerfile.windows.template
index 7efa140..304ad32 100644
--- a/Dockerfile.windows.template
+++ b/Dockerfile.windows.template
@@ -18,9 +18,9 @@ ADD $TOMCERT c:\\opt\\certs
ADD $TOMWWWROOT c:\\Tomcat\\webapps\\ROOT
ADD $SHBCFG c:\\opt\\shibboleth-idp\\conf
ADD $SHBCREDS c:\\opt\\shibboleth-idp\\credentials
-ADD $SHBVIEWS c:\\opt\\shibboleth-idp\\views
-ADD $SHBEDWAPP c:\\opt\\shibboleth-idp\\edit-webapp
-ADD $SHBMSGS c:\\opt\\shibboleth-idp\\messages
+#ADD $SHBVIEWS c:\\opt\\shibboleth-idp\\views
+#ADD $SHBEDWAPP c:\\opt\\shibboleth-idp\\edit-webapp
+#ADD $SHBMSGS c:\\opt\\shibboleth-idp\\messages
ADD $SHBMD c:\\opt\\shibboleth-idp\\metadata
# Uncomment if using secrets; removes existing files from the container so that secrets can propagate (issue with Windows containers)
diff --git a/common.bash b/common.bash
index 314d47a..9b82abc 100644
--- a/common.bash
+++ b/common.bash
@@ -2,4 +2,4 @@ registry="docker.io"
maintainer="tier"
basename="shibbidp_configbuilder_container"
imagename="shibbidp_configbuilder_container"
-version="0.4"
+version="0.5"
diff --git a/configBuilder.sh b/configBuilder.sh
index 5989d1e..c37feb3 100755
--- a/configBuilder.sh
+++ b/configBuilder.sh
@@ -445,8 +445,6 @@ WINDOWS | windows)
esac
-# if the user chose to use secrets, then generate a directory containing the config with secrets removed
-
#copy files directly instead of zipping
mkdir -p /output-tmp
cp -R ./* /output-tmp
From 0ceabba987ab6393cda942b72391651d72c49d76 Mon Sep 17 00:00:00 2001
From: Paul Caskey <pcaskey@internet2.edu>
Date: Wed, 12 Feb 2020 21:43:13 +0000
Subject: [PATCH 19/34] bugfix
---
configBuilder.sh | 10 ++++++----
1 file changed, 6 insertions(+), 4 deletions(-)
diff --git a/configBuilder.sh b/configBuilder.sh
index c37feb3..1627a72 100755
--- a/configBuilder.sh
+++ b/configBuilder.sh
@@ -77,6 +77,7 @@ cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.0-InCommon/conf/metadata-providers.xml $
cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.0-InCommon/conf/attribute-resolver.xml ${SHBCFG}
cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.0-InCommon/conf/attribute-filter.xml ${SHBCFG}
cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.0-InCommon/credentials/inc-md-cert-mdq.pem ${SHBCREDS}
+cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.0-InCommon/credentials/sealer.kver ${SHBCREDS}
cp -rf ${TMP_DIR_T}/shib-idp-tomcat-config-master/conf/* ${TOMCFG}
cp -rf ${TMP_DIR_T}/shib-idp-tomcat-config-master/wwwroot/* ${TOMWWWROOT}
@@ -123,17 +124,18 @@ echo ""
echo "We will use the information you enter here to configure your IdP."
echo ""
while [ ${SCOPE} == "None" ]; do
- echo -n "Enter the Scope for your IdP: "
+ echo -n "Enter the Scope for your IdP [`expr "$FQDN" | cut -f2- -d.`]: "
read response
- if [ ${#response} -lt 5 ]; then
+ TMPSCOPE=${response:-`expr "$FQDN" | cut -f2- -d.`}
+ if [ ${#TMPSCOPE} -lt 5 ]; then
echo "Remember, you need domain - domain.edu or similar"
continue
fi
- echo -n "You entered: ${response} Is this correct [Yes/No]? "
+ echo -n "You entered: ${TMPSCOPE} Is this correct [Yes/No]? "
read yesno
case $yesno in
Yes|yes|Y|y)
- SCOPE=$response
+ SCOPE=$TMPSCOPE
;;
esac
done
From 0fa324574398d3937e381a31b88f9d2cfb59fbac Mon Sep 17 00:00:00 2001
From: Paul Caskey <pcaskey@internet2.edu>
Date: Fri, 25 Sep 2020 18:55:50 +0000
Subject: [PATCH 20/34] add additional directory structure into generated
output
---
Dockerfile | 14 ++++++--------
configBuilder.sh | 7 +++++++
corretto-signing-key.pub | 42 +++++++++++++++++++++++++---------------
3 files changed, 39 insertions(+), 24 deletions(-)
diff --git a/Dockerfile b/Dockerfile
index 053089f..b55ff8f 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -6,18 +6,16 @@ RUN rm -fr /var/cache/yum/* && yum clean all && yum -y install --setopt=tsflags=
yum -y clean all
# Install Corretto Java JDK
-#Corretto download page: https://docs.aws.amazon.com/corretto/latest/corretto-8-ug/downloads-list.html
-ARG CORRETTO_RPM=java-1.8.0-amazon-corretto-devel-1.8.0_222.b10-1.x86_64.rpm
-ARG CORRETTO_URL_BASE=https://d3pxv6yz143wms.cloudfront.net/8.222.10.1
-COPY corretto-signing-key.pub .
-RUN curl -O $CORRETTO_URL_BASE/$CORRETTO_RPM \
+#Corretto download page: https://docs.aws.amazon.com/corretto/latest/corretto-11-ug/downloads-list.html
+ARG CORRETTO_URL_PERM=https://corretto.aws/downloads/latest/amazon-corretto-11-x64-linux-jdk.rpm
+ARG CORRETTO_RPM=amazon-corretto-11-x64-linux-jdk.rpm
+COPY container_files/java-corretto/corretto-signing-key.pub .
+RUN curl -O -L $CORRETTO_URL_PERM \
&& rpm --import corretto-signing-key.pub \
&& rpm -K $CORRETTO_RPM \
&& rpm -i $CORRETTO_RPM \
&& rm -r corretto-signing-key.pub $CORRETTO_RPM
-ENV JAVA_HOME=/usr/lib/jvm/java-1.8.0-amazon-corretto
-
-
+ENV JAVA_HOME=/usr/lib/jvm/java-11-amazon-corretto
#download/install Azul Java
diff --git a/configBuilder.sh b/configBuilder.sh
index 1627a72..ba7aa6e 100755
--- a/configBuilder.sh
+++ b/configBuilder.sh
@@ -47,7 +47,14 @@ USESECRETS=None
mkdir -p config/tomcat
mkdir -p credentials/tomcat
mkdir -p wwwroot
+mkdir -p config/shib-idp/views
+mkdir -p config/shib-idp/messages
+mkdir -p config/shib-idp/edit-webapp
+mkdir -p config/shib-idp/flows
mkdir -p config/shib-idp/conf
+mkdir -p config/shib-idp/conf/authn
+mkdir -p config/shib-idp/conf/attributes
+mkdir -p config/shib-idp/conf/intercept
mkdir -p credentials/shib-idp
mkdir -p config/shib-idp/metadata
diff --git a/corretto-signing-key.pub b/corretto-signing-key.pub
index a41b926..1bb85b1 100644
--- a/corretto-signing-key.pub
+++ b/corretto-signing-key.pub
@@ -1,21 +1,31 @@
-----BEGIN PGP PUBLIC KEY BLOCK-----
Version: GnuPG v2.0.22 (GNU/Linux)
-mQENBF0uBDoBCACvZR8N0drCT+9XmesLbldPf8X9wGHf96dw6ZDnSBypMNVZp9o4
-u1VUJ6YKjnbs9pyWmgiA+XcxKlZUyqNzT+LIoEDJJXE47YKks1ThltQ9R7Vwjsvb
-9fUWxrITDbPpy5EbZuWOf2l2dPdHJxOkQnf1xTUnkcHob9IwycKXdvCduKW1KbT7
-ODKN7ZYEfENj63D6eFmgWG7dVV7JvVXJMl6aDHUBCPteS+VTbghx78N1YvVpb4V0
-Hnp/LQMbz1gnKLjMUKw4PcZoRrYmEmQlWOWOFPspepLnb06wWO9lWEkIsngFiA3C
-oLxDUI8Oo67tKg/0hN2RsqWFBSSKa/F6Wc11ABEBAAG0UkFtYXpvbiBTZXJ2aWNl
-cyBMTEMgKEFtYXpvbiBDb3JyZXRvIDguMjIyLjEwLjMgcmVsZWFzZSkgPGNvcnJl
-dHRvLXRlYW1AYW1hem9uLmNvbT6JAT8EEwECACkFAl0uBDoCGy8FCQlmAYAHCwkI
-BwMCAQYVCAIJCgsEFgIDAQIeAQIXgAAKCRC9k98GtUDWKiqjB/wMzhyE+Fm7DXU6
-koYGHyjY9AtPNDSR9uxXT1PvCjz/Gz12x/kjMz8dOjFwI3qOJhHFmYmjLX7Xb2ZR
-1di3/AyCmCWNdxh6X9JOMFBASlcRjKQk5ha69DO4CT1cg9+VSDpvYW+01ha5VC/q
-a29WFoL7G5UWWjGku0CXkn+JIRDCBboIumcldm1qoU5LUQVbYY7yqz5gsw+3nsbO
-rpEZPjpUGSlQ7IY7aWB4FB0kCQkT8d/mWbJ5/nacy3ib8ZnpIzvrVLO2v9IqBT9f
-Ul/8fdyXfYWjv9n2vE86mrYn9VtLI5umLeljgWDTWIqDV2Atn1wVD/g4M+vvQNCe
-vjspN4eD
-=q2VU
+mQINBF3pShkBEADJzglehQDFlc1+9VFubVPzpq8ZYtzmJkNjf09scOUzaKZOm3Ar
+mPh9Rufk4mB7t1LP4JeHAKAS17ggCHGVxRGXAAQ9Laf8ibX4SiFO3Ehyyl3smuFf
+ZhexBnvc7vRc4EUlKqarCQRUlaraDOrmq7WbhXdvCgc4u2uBLwUjAd3PHQUByAZw
+lsEQzpQnehNomjrE0pO6ms9AhmpbXlf/yr14EXvlo4lTd8QUdvS+AOCYfrHb9WGO
+IEsyyDuzuf2grV/QFpoi0VBhTCyiNYXla2AfCreMGlOCYsjw1nU93OyAqF3SaTOC
+o52yrzcb2NpbBDwRXOHNwe1md+DbRwEfkaWr5I91FqRpgEeawqyxY1miJRHduhsz
+WTgTMBF/EQfmTspD2YBX/BjNJTrdDXYvACX8slVV/vBnpi+dEpVEK3hh21ij991S
+lv8YoFnoC7XP44C7WNpVQpGW9ZWpnjLCvm3DMKW0r3Vfb3XDYhnHI1Q14Pxn0cwf
+x1L2RA4doyWd1TRZBFBe2f0vSkZT0YFaibKaKi6AkDIMU/+u+/e3wWbYXqzsSITj
+ffMkpMMNSwxbm8JqnsudjuzdEsYAiBUcFMwWysQDcyu63un2OmLKLfKxy19vCpS1
+8mkNy95JuO4jZtu+IiinvSSjlbJmslu3uK3/cTRsWaB7BRtHewE7SugMOwARAQAB
+tEhBbWF6b24gU2VydmljZXMgTExDIChBbWF6b24gQ29ycmV0dG8gcmVsZWFzZSkg
+PGNvcnJldHRvLXRlYW1AYW1hem9uLmNvbT6JAjEEEwECABsFAl3pShkCGy8FCQlm
+AYAFFQgKCQsCHgECF4AACgkQoSJUKrBPJOOJDg/6AqmntaxDWX6qfR++0qwtD9Lp
+vgONFvA+9AYQeGt7OX79O/SSPy97Kvn6DYRBdelShTAH60DbXCUs42sIRFqRjmHY
+HfIgOkUJjWoJz9oQnY+mzAKbOohCrR+YIvyCegFb0dboDaqSQ4w68+d1is7L84pz
+ZB2j0nrQDbFihPmR+epfHkLUGGywuZHCdEFfD8nXMOJeVbgSzf7Vhl8ZrydIkZTI
+7aASG5MkDO/GuVpEGQYAnH9h/jzJlfUKndswC6UFcM5Ol07pDPdHVBAi9q1SyxDe
+uSS1NgDW7OW7zgpB+4/PrZKKiEP/fBAWa9nFSLwTaMdsoaAuQAmmgbqYfy3XXKK7
+IBaKSnJpQDvNb0vmXJEY3qX2Bfh0p1KCeaQhYwIJi8rPQWC24fiLY9bdCIlkbbPQ
+CSNOEq9nUWRg9KbUGmd/PWSkT6Jheyq3BZBF1YPYEt8o/l437HHd08lREqH0sana
+Hb72GZTi2RUrNBBp5C1e8MqllXE6RKmri2m0TSBHR5C4ZLII9duyA839dYIA4KGU
+nmetZckuRuwHFmd3/YWtMEfn47UedzhVT16z3OvBipHU1BKzLGcvUFXrUKvpJQlh
+dNPUQh+wb91EzItjkJ96m+N+81iQdN3yd8cE38NTA8b+Qc7tmTYxwNZxcv16FxLA
+y2VhKc09A8RwSI69vDs=
+=ZNRH
-----END PGP PUBLIC KEY BLOCK-----
From 6dac0c4fe9ee64a1ffcbf2b933612bf238149eae Mon Sep 17 00:00:00 2001
From: Paul Caskey <pcaskey@internet2.edu>
Date: Fri, 25 Sep 2020 18:58:23 +0000
Subject: [PATCH 21/34] fix typo
---
Dockerfile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Dockerfile b/Dockerfile
index b55ff8f..1d5a59f 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -9,7 +9,7 @@ RUN rm -fr /var/cache/yum/* && yum clean all && yum -y install --setopt=tsflags=
#Corretto download page: https://docs.aws.amazon.com/corretto/latest/corretto-11-ug/downloads-list.html
ARG CORRETTO_URL_PERM=https://corretto.aws/downloads/latest/amazon-corretto-11-x64-linux-jdk.rpm
ARG CORRETTO_RPM=amazon-corretto-11-x64-linux-jdk.rpm
-COPY container_files/java-corretto/corretto-signing-key.pub .
+COPY corretto-signing-key.pub .
RUN curl -O -L $CORRETTO_URL_PERM \
&& rpm --import corretto-signing-key.pub \
&& rpm -K $CORRETTO_RPM \
From b772dbf6b9996a7ea84af0e37723f384972b8caa Mon Sep 17 00:00:00 2001
From: Paul Caskey <pcaskey@internet2.edu>
Date: Fri, 19 Feb 2021 15:41:24 -0600
Subject: [PATCH 22/34] add logback.xml to saved config files
---
configBuilder.sh | 1 +
1 file changed, 1 insertion(+)
diff --git a/configBuilder.sh b/configBuilder.sh
index ba7aa6e..1ac726e 100755
--- a/configBuilder.sh
+++ b/configBuilder.sh
@@ -83,6 +83,7 @@ cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.0-InCommon/conf/ldap.properties ${SHBCFG
cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.0-InCommon/conf/metadata-providers.xml ${SHBCFG}
cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.0-InCommon/conf/attribute-resolver.xml ${SHBCFG}
cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.0-InCommon/conf/attribute-filter.xml ${SHBCFG}
+cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.0-InCommon/conf/logback.xml ${SHBCFG}
cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.0-InCommon/credentials/inc-md-cert-mdq.pem ${SHBCREDS}
cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.0-InCommon/credentials/sealer.kver ${SHBCREDS}
cp -rf ${TMP_DIR_T}/shib-idp-tomcat-config-master/conf/* ${TOMCFG}
From 04622394a4145363c6ec8a657b997067fbbe6c2f Mon Sep 17 00:00:00 2001
From: Paul Caskey <pcaskey@internet2.edu>
Date: Thu, 6 May 2021 20:01:22 +0000
Subject: [PATCH 23/34] initial for IdP 4.1.0
---
Dockerfile.template | 10 +-
common.bash | 2 +-
configBuilder.sh | 20 +--
duo-oidc-truststore.asc | 288 +++++++++++++++++++++++++++++++++++++
oidc-common-truststore.asc | 288 +++++++++++++++++++++++++++++++++++++
5 files changed, 596 insertions(+), 12 deletions(-)
create mode 100644 duo-oidc-truststore.asc
create mode 100644 oidc-common-truststore.asc
diff --git a/Dockerfile.template b/Dockerfile.template
index c5f74ab..df6d950 100644
--- a/Dockerfile.template
+++ b/Dockerfile.template
@@ -11,7 +11,7 @@ ARG SHBEDWAPP=config/shib-idp/edit-webapp
ARG SHBMSGS=config/shib-idp/messages
ARG SHBMD=config/shib-idp/metadata
-# copy in the needed config files
+# copy in those needed config files
ADD ${TOMCFG} /usr/local/tomcat/conf
ADD ${TOMCERT} /opt/certs
ADD ${TOMWWWROOT} /usr/local/tomcat/webapps/ROOT
@@ -22,4 +22,12 @@ ADD ${SHBCREDS} /opt/shibboleth-idp/credentials
#ADD ${SHBMSGS} /opt/shibboleth-idp/messages
ADD ${SHBMD} /opt/shibboleth-idp/metadata
+# new for 4.1.0: install the Duo OIDC integration
+# https://wiki.shibboleth.net/confluence/display/IDPPLUGINS/DuoOIDCAuthnConfiguration
+# For unattended install of plugins, trust must be manually bootstrapped. You should never automate the retreival of this file (like this) for production.
+#ADD https://github.internet2.edu/raw/docker/ShibbIdP_ConfigBuilder_Container/master/oidc-common-truststore.asc /opt/shibboleth-idp/credentials/net.shibboleth.idp.plugin.authn.duo.nimbus/truststore.asc
+#ADD https://github.internet2.edu/raw/docker/ShibbIdP_ConfigBuilder_Container/master/duo-oidc-truststore.asc /opt/shibboleth-idp/credentials/net.shibboleth.oidc.common/truststore.asc
+#install the plugins
+#RUN /opt/shibboleth-idp/bin/plugin.sh --noPrompt -i https://shibboleth.net/downloads/identity-provider/plugins/oidc-common/1.0.0/oidc-common-dist-1.0.0.zip
+#RUN /opt/shibboleth-idp/bin/plugin.sh --noPrompt -i https://shibboleth.net/downloads/identity-provider/plugins/duo-oidc/1.0.0/idp-plugin-duo-nimbus-dist-1.0.0.zip
diff --git a/common.bash b/common.bash
index 9b82abc..e630b3b 100644
--- a/common.bash
+++ b/common.bash
@@ -2,4 +2,4 @@ registry="docker.io"
maintainer="tier"
basename="shibbidp_configbuilder_container"
imagename="shibbidp_configbuilder_container"
-version="0.5"
+version="0.7"
diff --git a/configBuilder.sh b/configBuilder.sh
index 1ac726e..2cdc20e 100755
--- a/configBuilder.sh
+++ b/configBuilder.sh
@@ -7,9 +7,9 @@ cd /scriptrun
# script config items
-SHB_CFG_URL=https://github.internet2.edu/docker/shib-idp-conftree/archive/4.0-InCommon.zip
+SHB_CFG_URL=https://github.internet2.edu/docker/shib-idp-conftree/archive/4.1-InCommon.zip
TOM_CFG_URL=https://github.internet2.edu/docker/shib-idp-tomcat-config/archive/master.zip
-TMP_DIR_S=/tmp/4.0-InCommon
+TMP_DIR_S=/tmp/4.1-InCommon
TMP_DIR_T=/tmp/tomcfg
TMP_DIR_D=/tmp/buildfiles
@@ -78,14 +78,14 @@ unzip -o -d ${TMP_DIR_T} ${TMP_DIR_T}.zip > /dev/null 2>&1
### cp relevant folders from expanded zip to appropriate locations at $PWD/* ###
################################################################################
#
-cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.0-InCommon/conf/idp.properties ${SHBCFG}
-cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.0-InCommon/conf/ldap.properties ${SHBCFG}
-cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.0-InCommon/conf/metadata-providers.xml ${SHBCFG}
-cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.0-InCommon/conf/attribute-resolver.xml ${SHBCFG}
-cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.0-InCommon/conf/attribute-filter.xml ${SHBCFG}
-cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.0-InCommon/conf/logback.xml ${SHBCFG}
-cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.0-InCommon/credentials/inc-md-cert-mdq.pem ${SHBCREDS}
-cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.0-InCommon/credentials/sealer.kver ${SHBCREDS}
+cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.1-InCommon/conf/idp.properties ${SHBCFG}
+cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.1-InCommon/conf/ldap.properties ${SHBCFG}
+cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.1-InCommon/conf/metadata-providers.xml ${SHBCFG}
+cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.1-InCommon/conf/attribute-resolver.xml ${SHBCFG}
+cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.1-InCommon/conf/attribute-filter.xml ${SHBCFG}
+cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.1-InCommon/conf/logback.xml ${SHBCFG}
+cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.1-InCommon/credentials/inc-md-cert-mdq.pem ${SHBCREDS}
+cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.1-InCommon/credentials/sealer.kver ${SHBCREDS}
cp -rf ${TMP_DIR_T}/shib-idp-tomcat-config-master/conf/* ${TOMCFG}
cp -rf ${TMP_DIR_T}/shib-idp-tomcat-config-master/wwwroot/* ${TOMWWWROOT}
diff --git a/duo-oidc-truststore.asc b/duo-oidc-truststore.asc
new file mode 100644
index 0000000..8ef1547
--- /dev/null
+++ b/duo-oidc-truststore.asc
@@ -0,0 +1,288 @@
+
+Philip David Smart <philip.smart@jisc.ac.uk> id B8A3DC52
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: BCPG v1.68
+
+mQINBGA3eNkBEADXiVQf1XEUSM9gB+eMAPj4zdjtd2tflJTNI5Q6sEB2ly2rbOyg
+Yo49DF6wytQSRABAJvRY36hHkK77mbRN5Usf8Rq09aGUEv0nvKO+JVT/P4w3tFva
+MmKWiYX775/yDE7B1vu4eb1RQCjrXaye91EpHES74VR8Kb0TVeNEQXGR5/h77Gcg
+obRog+CqxT9L33Fcs4d2C+8BLo4dOaAr29rmEGWRE576NM6wGvtzHdazipM9LvtS
+POGRid4HLYuWvW5WCyAfGbkOq8xreYBtB9gGSZ8iarmcYmN50/gz3Ux3sJA/xy7Y
+vMAYWtA8Rp5hFb39uoaEwHWz8IlnAbA11OfrEkt65dMJwQAX4w89aag/LqI2lrgG
+VEoDWCvkKOlsbJalZr/SgG+m1k/4gqfYYkM09PI7IRn0Cb8uLDdXpeBZd2SJXi9E
+gdDxsrKoi0IMUYQNv8stNa/5lTK7LJkqovpdL+1aHCYRex53Ln+y8RycNbxSGl5O
+CKtFGb9ydfMnbOVX4BJ1x83OOktIkbLpVeZIsaTmUEDQ9itWmXqQ/QoIgBVFRqh8
+bhaCs7y9UPF+WtnpRY7jm3/cSL6oUXax2tT5VoU3LLxTQf90ZdWrAyWEF8auBZAP
+FRXAD2HkS4rIWCuKi/GSH0v6ILu9KREFfViy9fZXFpvwvbz199CPlCkgLQARAQAB
+tCxQaGlsaXAgRGF2aWQgU21hcnQgPHBoaWxpcC5zbWFydEBqaXNjLmFjLnVrPokC
+TQQTAQgAOBYhBLW13TMhQq1lfo2HrH0n5hC4o9xSBQJgN3jZAhsDBQsJCAcCBhUK
+CQgLAgQWAgMBAh4BAheAAAoJEH0n5hC4o9xSz4EP9Arv6WSxxkBEVzGj2XRbXAOP
+U0G5KFJ1sviO9ZGotBnivHH4HWcusDqoyDvjwIYp9jycgtwGw4TuF917QPTfFwhb
+TYma22+wSZ6Sn+OcZr+dSjLg5Ki+6I2BZaS+m2MYcPehCl1ILbtcs83p7AZf2JU1
+IgejhJMsMg93G88ZkSOO0tOAuvBbrO+f/de5AtSIk9ense1OUz9dbjI7JK6idB0a
+1yoo5FjOuyRw11qEa7nP787jcdnh6gkcfRGK9CcYOWXXcfQSRYFx0Wz6qi76bonk
+fYioCGv7LOPvsRnrjyWnM0tukS2RrDSbOfEby6ma4ZsPAhxtOrwWYOYfmjpspNbh
+yPHL/qw0Bb+t+X+mBayRO3MJ1R4l5lU3cjXF/oSCxinkL4TfX5bJ+SuPmPb6cOO4
+eHBHCwTad0jy9CEQAFIwtQP1+5QpcAUQPEhHlztPPHe5hP3X8M0x0ILTEDrh29E0
+C0CP0aG9xTONBK1JnmWT7NSXDzk+BLokdbDbZs909+fJddlzPq72u0ubRUOgKNki
+eo5Vbg5aOsaCkC0QJOzabO7xbnlOlXlg8XkGnfO8mIZ6Q0M5oEyGSpBakYi0rfQo
+zjzKwflCvRTKEl8spTkPH45Dm7LZ+o5xWSN4P2NVTh46unfCyKxuSi1Prl2tQ6OG
++ke+A9zfGa0iHsXtT8aJAjMEEwEIAB0WIQSHQCCMDpP+yA7r+RO3fFLuwhdx3QUC
+YDeIGgAKCRC3fFLuwhdx3Q0JEACRK35MbZe3mD7uKWb8pXwTxHfngDDA4TgpVLXA
+Oqvmh+ISYN1RVJUdAdws/PsTS9NgWCD3YbN57G0jtCT3Q0kCAtvXNPLPgmKxk0au
+Y2K1xaJs9iDjXysbWLIOgKdw2hs8FrD2YvYCQfm/jTQeG4TEqVJTvxcyLKVGBwud
+Hg6coVsqz0iazwXiPBE1mLlxXi9mk2wv5a3SySPYbGGF37cXEvX1ZRYG721bSaXW
+EUlZDzd2s2iv0FyM7aXjGeI77x7Ri9vG+KcCFdfoBrYjo5tQ0nm/0mWQr+uakDKr
+T4JUmFnzDCzIZcMqeSRcGRgJ8aCN55TctKcjWUMwXSI4PIUu9XjeHgTmIZVFZzSo
+OZGSxiPUuZ8HSjwb1g5RtOejLX0Sd5FCuzDUtNQmS1BIe3ZpW0D3iWtVGr6FWETc
++Ks2Dwa8T2ZbaOFfsJauqm8l1zJYcV8d45V1ASLnyqaMJdYlctlu+6rwgCgIx9LV
+pKhnvVWEdxEVmyt5UMSZwXfNF3LXW6PFrE9GSSUWcpGwF/X3XuGLpNc8a/lF6RHA
+pbRuy5RN1v10feOqfpd8sFbvxQLuN3Xfo+HFjtjqF74BxASJm+2UePPeanIifRvQ
+Hd8NCGycYaNkdlkBQH3BLaTAD6pf25Hd2Iah3iRvY4gCPE0MoUhUERgXlfwd1L0H
+LpLd+YkCMwQSAQgAHRYhBF5tbq4Ww9p1RQshnJqATpfXB5x3BQJgQPZxAAoJEJqA
+TpfXB5x3JzoP+wQO4IfR4x1Fpd4i7P1YEHp1FWX9CiVkgt8KkND2QFv9jSA1VAIn
+zE0AJps33X3vtz4An0+oWEi1zVNSsg/ShhWVcEUsRuojFZmPjzFuDBzBVBRmqqw9
+p3xGFAcFlhtpIhU4xbRgw9mImNKBX5dzJxKzP+tQcAhY36LwI+aYOfMIWnBSWvpV
+se1+vgCLmVnVB3HtzByppRK1g3nxESXtJblgbW2KvP4wvp8FGLcGdIqS5y1AXTfD
+biaZcB+cHUDQMkICrHdiCtJBN5Ds1Rer7fF2GG89zPNyxi9ODVTOed/v3kf6Fd02
+Tz8N4FLvfvzB1CvoxHXOs2vWwx4CXd5KRcqlN0bXSbuNj6iN6mwyq6rFGJiB0i8G
+9ngK1JNjcyAzTrZofPvOXKFFsiJ7WpKaRI1VnjY97X6lxMfrOMeAiO3/dGpavsHs
+mSM1YVySu6T/GqzgKvzq8hH9NRTba2MBFcEeF9nFaa9v87AhY+HpYQkj4nM2Ie2X
+4IByGVHXR0tm7YXaxbgGnANjipmIKxQjf/81UHZgKO0hLYLt51CmiqYBe1RRcnb1
+oh3REIuOPZKW5HBoVkrgBQBODW7zh5brYMf+f+fiu79xvJ/kTBn3IzhZ4Ay9m4jC
+WVefvpLdE/SLz1YjchS8SWJBCxo/vMzg5NyFq4gBg5GqNKQMBMqAumUq0f8AACS4
+/wAAJLMBEAABAQAAAAAAAAAAAAAAAP/Y/+AAEEpGSUYAAQEAAEgASAAA/+EH5kV4
+aWYAAE1NACoAAAAIAAwBDwACAAAABgAAAJ4BEAACAAAACQAAAKQBEgADAAAAAQAB
+AAABGgAFAAAAAQAAAK4BGwAFAAAAAQAAALYBKAADAAAAAQACAAABMQACAAAABQAA
+AL4BMgACAAAAFAAAAMQBQgAEAAAAAQAAAgABQwAEAAAAAQAAAgCHaQAEAAAAAQAA
+ANiIJQAEAAAAAQAABuQAAAAAQXBwbGUAaVBob25lIDcAAAAAAEgAAAABAAAASAAA
+AAExMS40AAAyMDE4OjA3OjE2IDEwOjA3OjM4AAAfgpoABQAAAAEAAAJSgp0ABQAA
+AAEAAAJaiCIAAwAAAAEAAgAAiCcAAwAAAAEAMgAAkAAABwAAAAQwMjIxkAMAAgAA
+ABQAAAJikAQAAgAAABQAAAJ2kQEABwAAAAQBAgMAkgEACgAAAAEAAAKKkgIABQAA
+AAEAAAKSkgMACgAAAAEAAAKakgQACgAAAAEAAAKikgcAAwAAAAEABQAAkgkAAwAA
+AAEAEAAAkgoABQAAAAEAAAKqkhQAAwAAAAQAAAKyknwABwAAA+IAAAK6kpEAAgAA
+AAQ3MTAAkpIAAgAAAAQ3MTAAoAAABwAAAAQwMTAwoAIABAAAAAEAAACWoAMABAAA
+AAEAAADqohcAAwAAAAEAAgAAowEABwAAAAEBAAAApAIAAwAAAAEAAAAApAMAAwAA
+AAEAAAAApAUAAwAAAAEAHAAApAYAAwAAAAEAAAAApDIABQAAAAQAAAacpDMAAgAA
+AAYAAAa8pDQAAgAAACIAAAbCAAAAAAAAAAEAAAARAAAACQAAAAUyMDE4OjA3OjE2
+IDEwOjA3OjM4ADIwMTg6MDc6MTYgMTA6MDc6MzgAAAAKdAAAApMAAAhvAAAE+QAA
+KOIAAA/BAAAAAAAAAAEAAAGPAAAAZAXXBg4DvwPBQXBwbGUgaU9TAAABTU0AEwAB
+AAkAAAABAAAACQACAAcAAAIuAAAA+AADAAcAAABoAAADJgAEAAkAAAABAAAAAQAF
+AAkAAAABAAAA6AAGAAkAAAABAAAA8QAHAAkAAAABAAAAAQAIAAoAAAADAAADjgAM
+AAoAAAACAAADpgANAAkAAAABAAAAKAAOAAkAAAABAAAABAAPAAkAAAABAAAAAgAQ
+AAkAAAABAAAAAQARAAIAAAAlAAADtgAUAAkAAAABAAAABQAXAAkAAAABAAAAAAAZ
+AAkAAAABAAAAAAAaAAIAAAAGAAAD3AAfAAkAAAABAAAAAAAAAABicGxpc3QwME8R
+AgBHAkwCUQJVAlICSwJDAjsCLAIaAnMBzgCQAIgAiAB/AEsCUgJWAlYCTgJGAj4C
+MQIgAsoBjwB/AHkAgACBAIAATgJXAloCVgJOAkQCOAIlAg8CMwFwAHcAjACKAJYA
+jwBMAlYCVwJQAkYCOgIrAhIC4wGiAGUAkgCJAI4AjQCSAEoCUgJQAkcCOgIqAhYC
+9AFqAXgAdACRAIUAhQCMAIsASQJKAvYB+gC8AOIAjgGJAbEAcQBrAIMAeQB6AH4A
+gQBFAoEBTQDQALEA4QDiAL0ArgCZAIkAYwBoAHkAdQBuAEECBAF5ABgBtADHANUA
+uQCkAN0AyQCQAIMAfABqAGUAOwL2AHIAIgEEAb0ArACYAIYAuwDQAK8AXgBmAG8A
+eAAxAgkBUADvAIsAqwC/AJ0AbQB5AF8AZABvAHwAdAB1ACYC5gG3AHUAdgCuANwA
+DAHGAGIAYQBqAHEAdwBvAHAAHQIaAv8BtAGjAZ0BhwF4ATEBcwBtAHYAdQB0AGsA
+ZwAYAhkCDQL5AegB2gHFAagBcgGtAF8AdgBzAHIAagBoABUCGQIUAgkC/AHoAc0B
+sAGPARYBZgBmAHkAagBzAGYAEwITAg8CBAL4AeUBygGzAZsBfgHNAGEAcgBpAGsA
+YQAQAg0CCQL/AfQB4gHJAbMBoAGMAXwBUwEDAeAAcAByAAAIAAAAAAAAAgEAAAAA
+AAAAAQAAAAAAAAAAAAAAAAAAAgxicGxpc3QwMNQBAgMEBQYHCFVmbGFnc1V2YWx1
+ZVl0aW1lc2NhbGVVZXBvY2gQARMAAAU6zneKsRI7msoAEAAIERcdJy0vOD0AAAAA
+AAABAQAAAAAAAAAJAAAAAAAAAAAAAAAAAAAAP///xsEAChy8//+2DAAAShH///v9
+AArWDwAAADsAAAEAAAAAZQAAAQA0MkRDQUE3RC0wMTU0LTRBNTktQjY2NS03QTZB
+QjZBRkM4OEQAAHE4MjVzAAA/1d8AD/+1AD/V3wAP/7UAAAAJAAAABQAAAAkAAAAF
+QXBwbGUAaVBob25lIDcgYmFjayBjYW1lcmEgMy45OW1tIGYvMS44AAANAAEAAgAA
+AAJOAAAAAAIABQAAAAMAAAeGAAMAAgAAAAJXAAAAAAQABQAAAAMAAAeeAAUAAQAA
+AAEAAAAAAAYABQAAAAEAAAe2AAwAAgAAAAJLAAAAAA0ABQAAAAEAAAe+ABAAAgAA
+AAJUAAAAABEABQAAAAEAAAfGABcAAgAAAAJUAAAAABgABQAAAAEAAAfOAB8ABQAA
+AAEAAAfWAAAAAAAAADMAAAABAAAAIAAAAAEAAA5QAAAAZAAAAAMAAAABAAAACwAA
+AAEAABWDAAAAZAAAWb0AAADZAAAArQAABJ4AAN2FAAABWAAA3YUAAAFYAAAACAAA
+AAH/4Q1XaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wLwA8P3hwYWNrZXQgYmVn
+aW49Iu+7vyIgaWQ9Ilc1TTBNcENlaGlIenJlU3pOVGN6a2M5ZCI/PiA8eDp4bXBt
+ZXRhIHhtbG5zOng9ImFkb2JlOm5zOm1ldGEvIiB4OnhtcHRrPSJYTVAgQ29yZSA2
+LjAuMCI+IDxyZGY6UkRGIHhtbG5zOnJkZj0iaHR0cDovL3d3dy53My5vcmcvMTk5
+OS8wMi8yMi1yZGYtc3ludGF4LW5zIyI+IDxyZGY6RGVzY3JpcHRpb24gcmRmOmFi
+b3V0PSIiIHhtbG5zOnhtcD0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wLyIg
+eG1sbnM6bXdnLXJzPSJodHRwOi8vd3d3Lm1ldGFkYXRhd29ya2luZ2dyb3VwLmNv
+bS9zY2hlbWFzL3JlZ2lvbnMvIiB4bWxuczpzdEFyZWE9Imh0dHA6Ly9ucy5hZG9i
+ZS5jb20veG1wL3NUeXBlL0FyZWEjIiB4bWxuczphcHBsZS1maT0iaHR0cDovL25z
+LmFwcGxlLmNvbS9mYWNlaW5mby8xLjAvIiB4bWxuczpzdERpbT0iaHR0cDovL25z
+LmFkb2JlLmNvbS94YXAvMS4wL3NUeXBlL0RpbWVuc2lvbnMjIiB4bWxuczpwaG90
+b3Nob3A9Imh0dHA6Ly9ucy5hZG9iZS5jb20vcGhvdG9zaG9wLzEuMC8iIHhtcDpD
+cmVhdGVEYXRlPSIyMDE4LTA3LTE2VDEwOjA3OjM4LjcxMCIgeG1wOkNyZWF0b3JU
+b29sPSIxMS40IiB4bXA6TW9kaWZ5RGF0ZT0iMjAxOC0wNy0xNlQxMDowNzozOCIg
+cGhvdG9zaG9wOkRhdGVDcmVhdGVkPSIyMDE4LTA3LTE2VDEwOjA3OjM4LjcxMCI+
+IDxtd2ctcnM6UmVnaW9ucyByZGY6cGFyc2VUeXBlPSJSZXNvdXJjZSI+IDxtd2ct
+cnM6UmVnaW9uTGlzdD4gPHJkZjpTZXE+IDxyZGY6bGk+IDxyZGY6RGVzY3JpcHRp
+b24gbXdnLXJzOlR5cGU9IkZhY2UiPiA8bXdnLXJzOkFyZWEgc3RBcmVhOnk9IjAu
+NTEyOTk5OTk5OTk5OTk5OSIgc3RBcmVhOnc9IjAuMjM3OTk5OTk5OTk5OTk5OTki
+IHN0QXJlYTp4PSIwLjM3MSIgc3RBcmVhOmg9IjAuMzE3OTk5OTk5OTk5OTk5OTUi
+IHN0QXJlYTp1bml0PSJub3JtYWxpemVkIi8+IDxtd2ctcnM6RXh0ZW5zaW9ucyBh
+cHBsZS1maTpBbmdsZUluZm9ZYXc9IjAiIGFwcGxlLWZpOkFuZ2xlSW5mb1JvbGw9
+IjI3MCIgYXBwbGUtZmk6Q29uZmlkZW5jZUxldmVsPSIxMDAwIiBhcHBsZS1maTpU
+aW1lc3RhbXA9IjEzNzk5OTkyMTQ1MCIgYXBwbGUtZmk6RmFjZUlEPSI5Ii8+IDwv
+cmRmOkRlc2NyaXB0aW9uPiA8L3JkZjpsaT4gPC9yZGY6U2VxPiA8L213Zy1yczpS
+ZWdpb25MaXN0PiA8bXdnLXJzOkFwcGxpZWRUb0RpbWVuc2lvbnMgc3REaW06aD0i
+MzAyNCIgc3REaW06dz0iNDAzMiIgc3REaW06dW5pdD0icGl4ZWwiLz4gPC9td2ct
+cnM6UmVnaW9ucz4gPC9yZGY6RGVzY3JpcHRpb24+IDwvcmRmOlJERj4gPC94Onht
+cG1ldGE+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPD94cGFja2V0
+IGVuZD0idyI/PgD/7QB4UGhvdG9zaG9wIDMuMAA4QklNBAQAAAAAAD8cAVoAAxsl
+RxwCAAACAAIcAj8ABjEwMDczOBwCPgAIMjAxODA3MTYcAjcACDIwMTgwNzE2HAI8
+AAYxMDA3MzgAOEJJTQQlAAAAAAAQOGix0QQ3mMOAExf+M5Hq4v/iAkBJQ0NfUFJP
+RklMRQABAQAAAjBBREJFAhAAAG1udHJSR0IgWFlaIAfQAAgACwATADMAO2Fjc3BB
+UFBMAAAAAG5vbmUAAAAAAAAAAAAAAAAAAAAAAAD21gABAAAAANMtQURCRQAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACmNwcnQA
+AAD8AAAAMmRlc2MAAAEwAAAAa3d0cHQAAAGcAAAAFGJrcHQAAAGwAAAAFHJUUkMA
+AAHEAAAADmdUUkMAAAHUAAAADmJUUkMAAAHkAAAADnJYWVoAAAH0AAAAFGdYWVoA
+AAIIAAAAFGJYWVoAAAIcAAAAFHRleHQAAAAAQ29weXJpZ2h0IDIwMDAgQWRvYmUg
+U3lzdGVtcyBJbmNvcnBvcmF0ZWQAAABkZXNjAAAAAAAAABFBZG9iZSBSR0IgKDE5
+OTgpAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABYWVogAAAAAAAA81EA
+AQAAAAEWzFhZWiAAAAAAAAAAAAAAAAAAAAAAY3VydgAAAAAAAAABAjMAAGN1cnYA
+AAAAAAAAAQIzAABjdXJ2AAAAAAAAAAECMwAAWFlaIAAAAAAAAJwYAABPpQAABPxY
+WVogAAAAAAAANI0AAKAsAAAPlVhZWiAAAAAAAAAmMQAAEC8AAL6c/8AAEQgA6gCW
+AwEiAAIRAQMRAf/EAB8AAAEFAQEBAQEBAAAAAAAAAAABAgMEBQYHCAkKC//EALUQ
+AAIBAwMCBAMFBQQEAAABfQECAwAEEQUSITFBBhNRYQcicRQygZGhCCNCscEVUtHw
+JDNicoIJChYXGBkaJSYnKCkqNDU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hp
+anN0dXZ3eHl6g4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TF
+xsfIycrS09TV1tfY2drh4uPk5ebn6Onq8fLz9PX29/j5+v/EAB8BAAMBAQEBAQEB
+AQEAAAAAAAABAgMEBQYHCAkKC//EALURAAIBAgQEAwQHBQQEAAECdwABAgMRBAUh
+MQYSQVEHYXETIjKBCBRCkaGxwQkjM1LwFWJy0QoWJDThJfEXGBkaJicoKSo1Njc4
+OTpDREVGR0hJSlNUVVZXWFlaY2RlZmdoaWpzdHV2d3h5eoKDhIWGh4iJipKTlJWW
+l5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uLj5OXm5+jp
+6vLz9PX29/j5+v/bAEMAGBgYGBgYKRgYKTopKSk6Tjo6OjpOY05OTk5OY3djY2Nj
+Y2N3d3d3d3d3d4+Pj4+Pj6enp6enu7u7u7u7u7u7u//bAEMBHR8fMCwwUiwsUsSF
+bYXExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTE
+xMTExP/dAAQACv/aAAwDAQACEQMRAD8A6KiiisiwpaSkJ4oAZK2xd3uB+fFP3CqL
+yJLbkSHG8HisFNVlKgHsNx9z7U7AdYWA6mkSRJOUIOK59NWaWHaqbpT949F/z7VU
+sbgR3u18qrZBBOMHt+FFgudLdzGC3eQdR/U4plndfaolcD6//WqvqhB0+TB5wD+R
+qvZ3QWAMdqgDCrnGcUAbmcVnS6gkc/2cAljtxj/aP9KgbVI8HjOOuCD+nWuc84rc
+iYHgMDn2z/hQkI7v2pFO5Q3rVR7qMRiUHgdacJ44lSNjzgY96Qy3RTA2VBNOBBGR
+3oAWiiigAooooA//0OiopKM1kaDZHCLk1z099I26ZT8oO1R+maXV7jcwiQ9B/Osm
+dgifZ+pRv8/zppCbFRv3ZllJI6KM9exqkW5zQWPTtTT61ZID5eRTyc1FnsacB2oE
+S+dKy7C7Y9MnH5U4TybPKzwOKreop49aBjt1OzmmH1pM8UATLM4XGSRxwfbpVn7U
+7yq7HJFZ465pwPNKwHYpdA5T0J/KpLScSbVB6Er+VctDK6knOR3rf0kFsue24/mf
+/rGpaKNyiiikAUUUUAf/0ehqmJ1G8ucYNW6x9RiIUzL34NYmhi6g+Z1kHBIz+dUC
+xJyetSzyGRuar7TWiIF69KNnekwRzTstTAYRSZqTBNBQ0AMJzQDinbDThEx7UBYY
+abVjyW9KTyW9KVwsQZpRTzGR1pmKYE0Z5ye9dZpGDbkjjnH5Vx4OK1dMuxDON5+U
+qQf5j8uaTGdlRTEdXUOpBB6EdKfUDCiiimI//9LeNU7xglu7E8AZq2TgZrldQuHe
+Z4g2VHGMYrJFsy2bJzihVJpwXJwOSa1YLcKMnrVN2ElcopbO9WksfWtFVAqUCocj
+RRKK2SCpfsielXRS0rlcqKi2kY6iphboOcVKM07mlcLFfyUHamGBSelWqaaLhYov
+aKRWbPZsvK1v1G6g1SkJxOTIIODQDg1q3duPvLWSwNaJ3MmrHW6PdRmEWxPzr0Hq
+K3M159BKY5klH8JBr0BTkAmkwQ6iiikM/9PTvLgW0Blxkjp9a493MjtK3Vjmt7WJ
+cRrF/eOfyrnh0rOJTLNsmW3GtpRxWdaKMVpgVMjSI4YpwpBTuaksdSjNIM04fWkM
+MGlwaMn1pOfWgQvNNNLk0mRQMbSGlyKQ0wK8yBl5rAnj2ua6RhkVh3Yy2auJlNFF
+CQcjgiu50+c3FqjnqBg59a4auo0OUmN4ic4OQParZmjfopKKgo//1K+sHM6DttNZ
+ArW1b/Xr/u1kjk1C2KZrWowuavCq0K7EAqcVmzVD8mnAtTBUlIoUE08ZpoFSUhiZ
+PtSZNLSgcUANyaTNPxSGgCPiilNJTAQ8isW8Ta2fWto1QvUDRFv7vNVEiS0MI8Gt
+fRiVvBjGMHP44rJYd60dLP8Apkf41ozE7SiiioKP/9WPWIsFZfwrHiGZFrodYXNs
+rf3WH68Vg2g3TAemTWa2L6mwtOLBetQySCMe9U/OYnJ61Ni7mh5oAyaVbhM4yKzy
+0j9ttHk9807BzGykit0qUc1kRqyHg1pRvxSaKTJsU7GBTAc04nApDIJZ1j6mqhvF
+PXipZVDnmqbxxCqSJbZbWZW6HNO8wd6zeF+4/wCdG6T6j2osHMaoORUTjcpHrVaO
+Q9KtZyuaQXOdbgkelWdPYLdxk9N39Krz8SsPeruloHvVHpk/lWhkdoKKQcDFFQM/
+/9a9frvtJB7VzliMyk+1dDfcwe2awrFSJGz2H9ayWxZYkXcxzUJB3bE61dI71Sfc
+WITigqxII4x985PuaUxREfKPxFUriLYFI5z3qOEFpEVMjOAfr3p2DmLoZozg8irU
+cmelQFSjbJOR605UKHjpSGa0RyKbI2KjibApshzUlFaRz0FQAKT83NWGUDk9aqyR
+M0bt3A4FUInDxDg4pTGpG5P0rHABUrjnOc+3pWgsLxojocNjkU7EqVyyq7utTKMD
+FNiORzU2Kkqxg3sZSYn15p+nytFdK6jJwR+dT6kn3X/Co7GMjMntirvoZ21Ostrg
+XAPGCvWrOKzNNHDmtSpG1qf/1714u+3YfSsm2Qo0hPritqbmJvpWXGeD9ayNUPIz
+ULJg5qegipLsVmAYYYZFIixocooB9asbAaXZTuFiH8KDyamI2iowKAJlHFBGacvS
+jvSKIskcUzOO1TY5p/lg8igViqI06hFz64qTGal2CnBR2p3FYaq4p9OApp4pDsU7
+5N0Deo5FNtVAiVfQCprk/uW9xinRrsRVPYVXQlLU0LBdqt9a0c1UtR+7OPWrVBMt
+z//Q05P9W30NZKHlhWs43KR6isjOGH5GsTVE1LTAafmkWhRS02jNBQjc02lagDNA
+iRTR3p6IO9DAUDEI70vOKapwcGpCOKAQ2lFNGaXNAx1MY0uaYxoJZBMN21PU5/Kp
+B8zZ/hFAXcTnpjFTKuflUfSmJGjajEP1JqxTUXYgT0FOpmbP/9HUNZlxHh9/Y1pG
+oyAeDWRpczgafUfQkU8Ui0OpV5NIKkXikURyEAiq3musmMZX1qw+D1qttweKaJZZ
+E1RyySkfusZ9TQExyakCfLntTC4kbMRhutWx0quuF6VMrA1LGgIppqWojQMKYadT
+DQIegOOAav28LKd78egotP8AUj6mrVUQ5dB1FJRQSf/S0mplPamVkWUJRiQimipb
+gYYN68VEDSZaJBSs2OlNB4zULS7OTRYdxSSacAOpqobjJwoNIJjn5lNOwI0D83Q0
+uVVdpNZ3m85UGnrI/XaaLFWLwIo6dKo7pT2FPDzZwoosJo0FbtQ1VkZs89asMcgU
+mhXGmm0tNwScDvQM1LcYhX86s1Eo2gKO3FPFMyHUtJRQB//T0mqOpDUZrIsilXeh
+HfqKog9q0aoyrsfI6GgaYqHsaYyAtzSr60ueaRRGVU9aQIOxqQgmmmLPTNBSY4Lj
+0p2D6ioPJb1PFOWF/wC8aY+ckCZ6mngBeBTVhYHrUoAX60hOQ0rzmnseKQ0hPGKC
+RCeKmtk3Sbz0X+dVuScVJDfQxO0Eg27OrdqaQmzXpwpikMAw5Bp4oJHUUlLQB//U
+0jURqQ1FWRYVFIocbTUlNNMCiPlO09RS5BNRswkd8fwnFR7iODSsO5aB4p2arBhU
+qsOlKw7k1ANN3cUAgcGgZLnim5pu4Gk3CiwXH0xjxURkycClCnrTsTcmQdzWLc/6
+9z6nH6VuqOM1h3IzJNzjkH9BVRCWxY0y6dbgK7Eq/BB9exrqhXKWMaYfJBJPTuPQ
+j6GunQkqC3Xv9aJEolpaZmlzUjP/1b5php1MNZFiVBOxWMlcZ7ZqY1UuwDGc+lNC
+ZnWZwHU9c1Zcd6o2f33rRbpTe41sVyvpSh2FLTT3oAeJDS+YfSoqUUAP3t0FKAzd
+aFqwoFACKoA4qULk4ph61OnSpGhTwMVh3OfMYrxmtlu9Y1x/rDQhsk09gsyhuQeC
+PWukiJBaNjll4P19axlAFohHtWhbH959VH9a0lsZrcv0tJRWRR//2YkCTgQTAQgA
+OBYhBLW13TMhQq1lfo2HrH0n5hC4o9xSBQJgN4HxAhsDBQsJCAcCBhUKCQgLAgQW
+AgMBAh4BAheAAAoJEH0n5hC4o9xSm/AQAM1VQ6ulVGptsosNJYB+HigxIMZiXtIn
+tddo1oJ2HzucgHGF2VJemu5m2NxKrckNQdlO5AvYiD3cGsx1GCcUCqrVJnpVSzn0
+x2vAUd5Iu5AO6VLuWfz6lLzLYFmR7le1eEVV9PWpiFo5JmhCxFlmzbJ/LXg2rm+b
+gGwYg9PaW4zeJR721BE0YYzAdiiyih0oYQqm1rIpp5+rzHL34UeajNU8krcViWDv
+Q6qSKnkk4RQzzWWo5ByjDxB9UBF5eX1Ls/CyFzCpsNaPooKAxC1MQy53GrQIN4Wq
+Y73BMsfEutMvdWxgL5/zWKIS5Fd+hD9wTtOotu00PzamCq+5CnsggILpJenrHWSR
+6xoSgBL6iYjAq1DaLvGUv8/+gnblLkdh3A9+lCqqb45yAbBlZS4w12Jmfov+WKLS
+e464WTG0VTySkShhrwHKWkekXzCusx8nIow1FKo257N97fMLJFWRlBhCHcgtoYmq
+3a49CUndqAmM9MT1/8RX21xUq/vI3aTSXqnjgo+y5EMKNM6Q8u0KgVvxzNRyoyh6
+cJWgW+lXM55X8M1SDBruQBfTF2lnJbxq02hXyuDhWbtuhLCs01z3AxO42PZVuwqI
+/U7chZGzC2e02DPY0TVwbGJU6SEKg6wrZEeAzH7igRWR2AHGUEX0AzEkZD72mvZZ
+TMtW3ci6/EGZiQIzBBMBCAAdFiEEh0AgjA6T/sgO6/kTt3xS7sIXcd0FAmA3iFkA
+CgkQt3xS7sIXcd26xQ//dvjcgYkVg0KdAUQWE0KWFwHgW5mJWyITZs5PcwkArIGh
+pJCns9CRq5EGwGQuLWvhWBAloH+qFI83ydptPoxztZoy7keK1tCdDTNhk2RLhp98
+4CP5oObh6xgpuMQ1hVtwwdhOErGpU/auHgIr4qtScvsfLlhoXHCttzvnBkgiGKi+
+bn7hH+mGS6XCDDTXggh4s3wRZ/snaqy8WcaprfK3dw5Tpgck0pexikVcyI6sbruu
+euGwbUZ5JwuFNnRQzmjPqJk6ZC3tYqPslZFBKi83HXq4T2liTSI2m8eK/gWU512G
+T4HeLlkiSMLYOJeX+gKI25StkzXBqQoVKQJVc6RG8wdv34hSdFT0h1T6xtGKmb6y
+W0c855yFrp2yefSS9+R3DFxBEqo7YtGF1J53v87GBeYnFMRw6vZnon+Kurttn8ah
+gZP0veyb1JtCgBWAS6HVb2q6k/Uw+nt++NAZbr69rtnyzyrMNVvMnuM/L1diYfD0
+bncHd1Oj8KTHmFj7J9He2ytelfB/MFUmnkPWtAugPtnQMTGPYyb4VsOF53QsR0+8
+bJGGI7M3tk/C03sXGfMpYMUyKK7uyGWbKg97iKXQLIoHaI3zbIYNUMh//JspxCqg
+14GbQx8yaLDdyeORn8wmgsVy9qNEsc/PHJO8644KNZJM9x1fDihztBsRbRzwjVaJ
+AjMEEgEIAB0WIQRebW6uFsPadUULIZyagE6X1wecdwUCYED2egAKCRCagE6X1wec
+d5gKD/42YYeUFgaQDABPG45afoqwyP8H1xDi6W5F47wVFwI1GdSBmIqKGhNONwYS
+toeFKcX1ed0gBbFVkwaWEFKCeo0VjWcLYE1YaxL8ybo+iVrFfd/oEHyf414uvnur
+4jNVwqUmtYQMaLlXq2a9tVAGNtsgqsZKEYBanWDXm24z5l2rDGxLlVi7xTGU3pZE
+LfTF3HvZlN3l/ggagXF+2ocT5O0vTX1OO8x0lknTqhbjTJfi+ObJxV4DyE0ifQyh
+3smBUyxZwCcF9MhRKYnEcf8gbsCPDLoiwCGz0o7cKz2blm7NsTgxZXoS0HRx0/wy
+QHS+6mIDuH1gMLeEvJUql7cdKqGAbG5QD9xGPoW6PiTpFTtVusjxD4dIvil5oth5
+r9btVNtoSysEuL13BjBkrO4JuqVZvEdHFGjNE00q6JrI/SpeBZrRR/YZvLCgUZ9J
+w9S6g/usazLEAnOs2EH37yMFA3h3Jr+8l31CkGWBlbLHWc/6ufuyYo4F98TJ7WRV
+vq2RbAMziHMkDH47iMt2PkycLhqPplzbTyVVS/2r1u1d8vfhWlznASuT0/d6cpi0
+H9L/nqe2Mkst32e/X7jr54lSfURmKC+plNn4QQY61DcaUDw5UsMvl/ieDg7OqBeI
+JVgitbDLfIC15B5oRHalAmBOE9OulvvnqxZCHdQ63XunRIbviw==
+=+Re0
+-----END PGP PUBLIC KEY BLOCK-----
+
diff --git a/oidc-common-truststore.asc b/oidc-common-truststore.asc
new file mode 100644
index 0000000..8ef1547
--- /dev/null
+++ b/oidc-common-truststore.asc
@@ -0,0 +1,288 @@
+
+Philip David Smart <philip.smart@jisc.ac.uk> id B8A3DC52
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: BCPG v1.68
+
+mQINBGA3eNkBEADXiVQf1XEUSM9gB+eMAPj4zdjtd2tflJTNI5Q6sEB2ly2rbOyg
+Yo49DF6wytQSRABAJvRY36hHkK77mbRN5Usf8Rq09aGUEv0nvKO+JVT/P4w3tFva
+MmKWiYX775/yDE7B1vu4eb1RQCjrXaye91EpHES74VR8Kb0TVeNEQXGR5/h77Gcg
+obRog+CqxT9L33Fcs4d2C+8BLo4dOaAr29rmEGWRE576NM6wGvtzHdazipM9LvtS
+POGRid4HLYuWvW5WCyAfGbkOq8xreYBtB9gGSZ8iarmcYmN50/gz3Ux3sJA/xy7Y
+vMAYWtA8Rp5hFb39uoaEwHWz8IlnAbA11OfrEkt65dMJwQAX4w89aag/LqI2lrgG
+VEoDWCvkKOlsbJalZr/SgG+m1k/4gqfYYkM09PI7IRn0Cb8uLDdXpeBZd2SJXi9E
+gdDxsrKoi0IMUYQNv8stNa/5lTK7LJkqovpdL+1aHCYRex53Ln+y8RycNbxSGl5O
+CKtFGb9ydfMnbOVX4BJ1x83OOktIkbLpVeZIsaTmUEDQ9itWmXqQ/QoIgBVFRqh8
+bhaCs7y9UPF+WtnpRY7jm3/cSL6oUXax2tT5VoU3LLxTQf90ZdWrAyWEF8auBZAP
+FRXAD2HkS4rIWCuKi/GSH0v6ILu9KREFfViy9fZXFpvwvbz199CPlCkgLQARAQAB
+tCxQaGlsaXAgRGF2aWQgU21hcnQgPHBoaWxpcC5zbWFydEBqaXNjLmFjLnVrPokC
+TQQTAQgAOBYhBLW13TMhQq1lfo2HrH0n5hC4o9xSBQJgN3jZAhsDBQsJCAcCBhUK
+CQgLAgQWAgMBAh4BAheAAAoJEH0n5hC4o9xSz4EP9Arv6WSxxkBEVzGj2XRbXAOP
+U0G5KFJ1sviO9ZGotBnivHH4HWcusDqoyDvjwIYp9jycgtwGw4TuF917QPTfFwhb
+TYma22+wSZ6Sn+OcZr+dSjLg5Ki+6I2BZaS+m2MYcPehCl1ILbtcs83p7AZf2JU1
+IgejhJMsMg93G88ZkSOO0tOAuvBbrO+f/de5AtSIk9ense1OUz9dbjI7JK6idB0a
+1yoo5FjOuyRw11qEa7nP787jcdnh6gkcfRGK9CcYOWXXcfQSRYFx0Wz6qi76bonk
+fYioCGv7LOPvsRnrjyWnM0tukS2RrDSbOfEby6ma4ZsPAhxtOrwWYOYfmjpspNbh
+yPHL/qw0Bb+t+X+mBayRO3MJ1R4l5lU3cjXF/oSCxinkL4TfX5bJ+SuPmPb6cOO4
+eHBHCwTad0jy9CEQAFIwtQP1+5QpcAUQPEhHlztPPHe5hP3X8M0x0ILTEDrh29E0
+C0CP0aG9xTONBK1JnmWT7NSXDzk+BLokdbDbZs909+fJddlzPq72u0ubRUOgKNki
+eo5Vbg5aOsaCkC0QJOzabO7xbnlOlXlg8XkGnfO8mIZ6Q0M5oEyGSpBakYi0rfQo
+zjzKwflCvRTKEl8spTkPH45Dm7LZ+o5xWSN4P2NVTh46unfCyKxuSi1Prl2tQ6OG
++ke+A9zfGa0iHsXtT8aJAjMEEwEIAB0WIQSHQCCMDpP+yA7r+RO3fFLuwhdx3QUC
+YDeIGgAKCRC3fFLuwhdx3Q0JEACRK35MbZe3mD7uKWb8pXwTxHfngDDA4TgpVLXA
+Oqvmh+ISYN1RVJUdAdws/PsTS9NgWCD3YbN57G0jtCT3Q0kCAtvXNPLPgmKxk0au
+Y2K1xaJs9iDjXysbWLIOgKdw2hs8FrD2YvYCQfm/jTQeG4TEqVJTvxcyLKVGBwud
+Hg6coVsqz0iazwXiPBE1mLlxXi9mk2wv5a3SySPYbGGF37cXEvX1ZRYG721bSaXW
+EUlZDzd2s2iv0FyM7aXjGeI77x7Ri9vG+KcCFdfoBrYjo5tQ0nm/0mWQr+uakDKr
+T4JUmFnzDCzIZcMqeSRcGRgJ8aCN55TctKcjWUMwXSI4PIUu9XjeHgTmIZVFZzSo
+OZGSxiPUuZ8HSjwb1g5RtOejLX0Sd5FCuzDUtNQmS1BIe3ZpW0D3iWtVGr6FWETc
++Ks2Dwa8T2ZbaOFfsJauqm8l1zJYcV8d45V1ASLnyqaMJdYlctlu+6rwgCgIx9LV
+pKhnvVWEdxEVmyt5UMSZwXfNF3LXW6PFrE9GSSUWcpGwF/X3XuGLpNc8a/lF6RHA
+pbRuy5RN1v10feOqfpd8sFbvxQLuN3Xfo+HFjtjqF74BxASJm+2UePPeanIifRvQ
+Hd8NCGycYaNkdlkBQH3BLaTAD6pf25Hd2Iah3iRvY4gCPE0MoUhUERgXlfwd1L0H
+LpLd+YkCMwQSAQgAHRYhBF5tbq4Ww9p1RQshnJqATpfXB5x3BQJgQPZxAAoJEJqA
+TpfXB5x3JzoP+wQO4IfR4x1Fpd4i7P1YEHp1FWX9CiVkgt8KkND2QFv9jSA1VAIn
+zE0AJps33X3vtz4An0+oWEi1zVNSsg/ShhWVcEUsRuojFZmPjzFuDBzBVBRmqqw9
+p3xGFAcFlhtpIhU4xbRgw9mImNKBX5dzJxKzP+tQcAhY36LwI+aYOfMIWnBSWvpV
+se1+vgCLmVnVB3HtzByppRK1g3nxESXtJblgbW2KvP4wvp8FGLcGdIqS5y1AXTfD
+biaZcB+cHUDQMkICrHdiCtJBN5Ds1Rer7fF2GG89zPNyxi9ODVTOed/v3kf6Fd02
+Tz8N4FLvfvzB1CvoxHXOs2vWwx4CXd5KRcqlN0bXSbuNj6iN6mwyq6rFGJiB0i8G
+9ngK1JNjcyAzTrZofPvOXKFFsiJ7WpKaRI1VnjY97X6lxMfrOMeAiO3/dGpavsHs
+mSM1YVySu6T/GqzgKvzq8hH9NRTba2MBFcEeF9nFaa9v87AhY+HpYQkj4nM2Ie2X
+4IByGVHXR0tm7YXaxbgGnANjipmIKxQjf/81UHZgKO0hLYLt51CmiqYBe1RRcnb1
+oh3REIuOPZKW5HBoVkrgBQBODW7zh5brYMf+f+fiu79xvJ/kTBn3IzhZ4Ay9m4jC
+WVefvpLdE/SLz1YjchS8SWJBCxo/vMzg5NyFq4gBg5GqNKQMBMqAumUq0f8AACS4
+/wAAJLMBEAABAQAAAAAAAAAAAAAAAP/Y/+AAEEpGSUYAAQEAAEgASAAA/+EH5kV4
+aWYAAE1NACoAAAAIAAwBDwACAAAABgAAAJ4BEAACAAAACQAAAKQBEgADAAAAAQAB
+AAABGgAFAAAAAQAAAK4BGwAFAAAAAQAAALYBKAADAAAAAQACAAABMQACAAAABQAA
+AL4BMgACAAAAFAAAAMQBQgAEAAAAAQAAAgABQwAEAAAAAQAAAgCHaQAEAAAAAQAA
+ANiIJQAEAAAAAQAABuQAAAAAQXBwbGUAaVBob25lIDcAAAAAAEgAAAABAAAASAAA
+AAExMS40AAAyMDE4OjA3OjE2IDEwOjA3OjM4AAAfgpoABQAAAAEAAAJSgp0ABQAA
+AAEAAAJaiCIAAwAAAAEAAgAAiCcAAwAAAAEAMgAAkAAABwAAAAQwMjIxkAMAAgAA
+ABQAAAJikAQAAgAAABQAAAJ2kQEABwAAAAQBAgMAkgEACgAAAAEAAAKKkgIABQAA
+AAEAAAKSkgMACgAAAAEAAAKakgQACgAAAAEAAAKikgcAAwAAAAEABQAAkgkAAwAA
+AAEAEAAAkgoABQAAAAEAAAKqkhQAAwAAAAQAAAKyknwABwAAA+IAAAK6kpEAAgAA
+AAQ3MTAAkpIAAgAAAAQ3MTAAoAAABwAAAAQwMTAwoAIABAAAAAEAAACWoAMABAAA
+AAEAAADqohcAAwAAAAEAAgAAowEABwAAAAEBAAAApAIAAwAAAAEAAAAApAMAAwAA
+AAEAAAAApAUAAwAAAAEAHAAApAYAAwAAAAEAAAAApDIABQAAAAQAAAacpDMAAgAA
+AAYAAAa8pDQAAgAAACIAAAbCAAAAAAAAAAEAAAARAAAACQAAAAUyMDE4OjA3OjE2
+IDEwOjA3OjM4ADIwMTg6MDc6MTYgMTA6MDc6MzgAAAAKdAAAApMAAAhvAAAE+QAA
+KOIAAA/BAAAAAAAAAAEAAAGPAAAAZAXXBg4DvwPBQXBwbGUgaU9TAAABTU0AEwAB
+AAkAAAABAAAACQACAAcAAAIuAAAA+AADAAcAAABoAAADJgAEAAkAAAABAAAAAQAF
+AAkAAAABAAAA6AAGAAkAAAABAAAA8QAHAAkAAAABAAAAAQAIAAoAAAADAAADjgAM
+AAoAAAACAAADpgANAAkAAAABAAAAKAAOAAkAAAABAAAABAAPAAkAAAABAAAAAgAQ
+AAkAAAABAAAAAQARAAIAAAAlAAADtgAUAAkAAAABAAAABQAXAAkAAAABAAAAAAAZ
+AAkAAAABAAAAAAAaAAIAAAAGAAAD3AAfAAkAAAABAAAAAAAAAABicGxpc3QwME8R
+AgBHAkwCUQJVAlICSwJDAjsCLAIaAnMBzgCQAIgAiAB/AEsCUgJWAlYCTgJGAj4C
+MQIgAsoBjwB/AHkAgACBAIAATgJXAloCVgJOAkQCOAIlAg8CMwFwAHcAjACKAJYA
+jwBMAlYCVwJQAkYCOgIrAhIC4wGiAGUAkgCJAI4AjQCSAEoCUgJQAkcCOgIqAhYC
+9AFqAXgAdACRAIUAhQCMAIsASQJKAvYB+gC8AOIAjgGJAbEAcQBrAIMAeQB6AH4A
+gQBFAoEBTQDQALEA4QDiAL0ArgCZAIkAYwBoAHkAdQBuAEECBAF5ABgBtADHANUA
+uQCkAN0AyQCQAIMAfABqAGUAOwL2AHIAIgEEAb0ArACYAIYAuwDQAK8AXgBmAG8A
+eAAxAgkBUADvAIsAqwC/AJ0AbQB5AF8AZABvAHwAdAB1ACYC5gG3AHUAdgCuANwA
+DAHGAGIAYQBqAHEAdwBvAHAAHQIaAv8BtAGjAZ0BhwF4ATEBcwBtAHYAdQB0AGsA
+ZwAYAhkCDQL5AegB2gHFAagBcgGtAF8AdgBzAHIAagBoABUCGQIUAgkC/AHoAc0B
+sAGPARYBZgBmAHkAagBzAGYAEwITAg8CBAL4AeUBygGzAZsBfgHNAGEAcgBpAGsA
+YQAQAg0CCQL/AfQB4gHJAbMBoAGMAXwBUwEDAeAAcAByAAAIAAAAAAAAAgEAAAAA
+AAAAAQAAAAAAAAAAAAAAAAAAAgxicGxpc3QwMNQBAgMEBQYHCFVmbGFnc1V2YWx1
+ZVl0aW1lc2NhbGVVZXBvY2gQARMAAAU6zneKsRI7msoAEAAIERcdJy0vOD0AAAAA
+AAABAQAAAAAAAAAJAAAAAAAAAAAAAAAAAAAAP///xsEAChy8//+2DAAAShH///v9
+AArWDwAAADsAAAEAAAAAZQAAAQA0MkRDQUE3RC0wMTU0LTRBNTktQjY2NS03QTZB
+QjZBRkM4OEQAAHE4MjVzAAA/1d8AD/+1AD/V3wAP/7UAAAAJAAAABQAAAAkAAAAF
+QXBwbGUAaVBob25lIDcgYmFjayBjYW1lcmEgMy45OW1tIGYvMS44AAANAAEAAgAA
+AAJOAAAAAAIABQAAAAMAAAeGAAMAAgAAAAJXAAAAAAQABQAAAAMAAAeeAAUAAQAA
+AAEAAAAAAAYABQAAAAEAAAe2AAwAAgAAAAJLAAAAAA0ABQAAAAEAAAe+ABAAAgAA
+AAJUAAAAABEABQAAAAEAAAfGABcAAgAAAAJUAAAAABgABQAAAAEAAAfOAB8ABQAA
+AAEAAAfWAAAAAAAAADMAAAABAAAAIAAAAAEAAA5QAAAAZAAAAAMAAAABAAAACwAA
+AAEAABWDAAAAZAAAWb0AAADZAAAArQAABJ4AAN2FAAABWAAA3YUAAAFYAAAACAAA
+AAH/4Q1XaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wLwA8P3hwYWNrZXQgYmVn
+aW49Iu+7vyIgaWQ9Ilc1TTBNcENlaGlIenJlU3pOVGN6a2M5ZCI/PiA8eDp4bXBt
+ZXRhIHhtbG5zOng9ImFkb2JlOm5zOm1ldGEvIiB4OnhtcHRrPSJYTVAgQ29yZSA2
+LjAuMCI+IDxyZGY6UkRGIHhtbG5zOnJkZj0iaHR0cDovL3d3dy53My5vcmcvMTk5
+OS8wMi8yMi1yZGYtc3ludGF4LW5zIyI+IDxyZGY6RGVzY3JpcHRpb24gcmRmOmFi
+b3V0PSIiIHhtbG5zOnhtcD0iaHR0cDovL25zLmFkb2JlLmNvbS94YXAvMS4wLyIg
+eG1sbnM6bXdnLXJzPSJodHRwOi8vd3d3Lm1ldGFkYXRhd29ya2luZ2dyb3VwLmNv
+bS9zY2hlbWFzL3JlZ2lvbnMvIiB4bWxuczpzdEFyZWE9Imh0dHA6Ly9ucy5hZG9i
+ZS5jb20veG1wL3NUeXBlL0FyZWEjIiB4bWxuczphcHBsZS1maT0iaHR0cDovL25z
+LmFwcGxlLmNvbS9mYWNlaW5mby8xLjAvIiB4bWxuczpzdERpbT0iaHR0cDovL25z
+LmFkb2JlLmNvbS94YXAvMS4wL3NUeXBlL0RpbWVuc2lvbnMjIiB4bWxuczpwaG90
+b3Nob3A9Imh0dHA6Ly9ucy5hZG9iZS5jb20vcGhvdG9zaG9wLzEuMC8iIHhtcDpD
+cmVhdGVEYXRlPSIyMDE4LTA3LTE2VDEwOjA3OjM4LjcxMCIgeG1wOkNyZWF0b3JU
+b29sPSIxMS40IiB4bXA6TW9kaWZ5RGF0ZT0iMjAxOC0wNy0xNlQxMDowNzozOCIg
+cGhvdG9zaG9wOkRhdGVDcmVhdGVkPSIyMDE4LTA3LTE2VDEwOjA3OjM4LjcxMCI+
+IDxtd2ctcnM6UmVnaW9ucyByZGY6cGFyc2VUeXBlPSJSZXNvdXJjZSI+IDxtd2ct
+cnM6UmVnaW9uTGlzdD4gPHJkZjpTZXE+IDxyZGY6bGk+IDxyZGY6RGVzY3JpcHRp
+b24gbXdnLXJzOlR5cGU9IkZhY2UiPiA8bXdnLXJzOkFyZWEgc3RBcmVhOnk9IjAu
+NTEyOTk5OTk5OTk5OTk5OSIgc3RBcmVhOnc9IjAuMjM3OTk5OTk5OTk5OTk5OTki
+IHN0QXJlYTp4PSIwLjM3MSIgc3RBcmVhOmg9IjAuMzE3OTk5OTk5OTk5OTk5OTUi
+IHN0QXJlYTp1bml0PSJub3JtYWxpemVkIi8+IDxtd2ctcnM6RXh0ZW5zaW9ucyBh
+cHBsZS1maTpBbmdsZUluZm9ZYXc9IjAiIGFwcGxlLWZpOkFuZ2xlSW5mb1JvbGw9
+IjI3MCIgYXBwbGUtZmk6Q29uZmlkZW5jZUxldmVsPSIxMDAwIiBhcHBsZS1maTpU
+aW1lc3RhbXA9IjEzNzk5OTkyMTQ1MCIgYXBwbGUtZmk6RmFjZUlEPSI5Ii8+IDwv
+cmRmOkRlc2NyaXB0aW9uPiA8L3JkZjpsaT4gPC9yZGY6U2VxPiA8L213Zy1yczpS
+ZWdpb25MaXN0PiA8bXdnLXJzOkFwcGxpZWRUb0RpbWVuc2lvbnMgc3REaW06aD0i
+MzAyNCIgc3REaW06dz0iNDAzMiIgc3REaW06dW5pdD0icGl4ZWwiLz4gPC9td2ct
+cnM6UmVnaW9ucz4gPC9yZGY6RGVzY3JpcHRpb24+IDwvcmRmOlJERj4gPC94Onht
+cG1ldGE+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAg
+ICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgICAgPD94cGFja2V0
+IGVuZD0idyI/PgD/7QB4UGhvdG9zaG9wIDMuMAA4QklNBAQAAAAAAD8cAVoAAxsl
+RxwCAAACAAIcAj8ABjEwMDczOBwCPgAIMjAxODA3MTYcAjcACDIwMTgwNzE2HAI8
+AAYxMDA3MzgAOEJJTQQlAAAAAAAQOGix0QQ3mMOAExf+M5Hq4v/iAkBJQ0NfUFJP
+RklMRQABAQAAAjBBREJFAhAAAG1udHJSR0IgWFlaIAfQAAgACwATADMAO2Fjc3BB
+UFBMAAAAAG5vbmUAAAAAAAAAAAAAAAAAAAAAAAD21gABAAAAANMtQURCRQAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAACmNwcnQA
+AAD8AAAAMmRlc2MAAAEwAAAAa3d0cHQAAAGcAAAAFGJrcHQAAAGwAAAAFHJUUkMA
+AAHEAAAADmdUUkMAAAHUAAAADmJUUkMAAAHkAAAADnJYWVoAAAH0AAAAFGdYWVoA
+AAIIAAAAFGJYWVoAAAIcAAAAFHRleHQAAAAAQ29weXJpZ2h0IDIwMDAgQWRvYmUg
+U3lzdGVtcyBJbmNvcnBvcmF0ZWQAAABkZXNjAAAAAAAAABFBZG9iZSBSR0IgKDE5
+OTgpAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
+AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABYWVogAAAAAAAA81EA
+AQAAAAEWzFhZWiAAAAAAAAAAAAAAAAAAAAAAY3VydgAAAAAAAAABAjMAAGN1cnYA
+AAAAAAAAAQIzAABjdXJ2AAAAAAAAAAECMwAAWFlaIAAAAAAAAJwYAABPpQAABPxY
+WVogAAAAAAAANI0AAKAsAAAPlVhZWiAAAAAAAAAmMQAAEC8AAL6c/8AAEQgA6gCW
+AwEiAAIRAQMRAf/EAB8AAAEFAQEBAQEBAAAAAAAAAAABAgMEBQYHCAkKC//EALUQ
+AAIBAwMCBAMFBQQEAAABfQECAwAEEQUSITFBBhNRYQcicRQygZGhCCNCscEVUtHw
+JDNicoIJChYXGBkaJSYnKCkqNDU2Nzg5OkNERUZHSElKU1RVVldYWVpjZGVmZ2hp
+anN0dXZ3eHl6g4SFhoeIiYqSk5SVlpeYmZqio6Slpqeoqaqys7S1tre4ubrCw8TF
+xsfIycrS09TV1tfY2drh4uPk5ebn6Onq8fLz9PX29/j5+v/EAB8BAAMBAQEBAQEB
+AQEAAAAAAAABAgMEBQYHCAkKC//EALURAAIBAgQEAwQHBQQEAAECdwABAgMRBAUh
+MQYSQVEHYXETIjKBCBRCkaGxwQkjM1LwFWJy0QoWJDThJfEXGBkaJicoKSo1Njc4
+OTpDREVGR0hJSlNUVVZXWFlaY2RlZmdoaWpzdHV2d3h5eoKDhIWGh4iJipKTlJWW
+l5iZmqKjpKWmp6ipqrKztLW2t7i5usLDxMXGx8jJytLT1NXW19jZ2uLj5OXm5+jp
+6vLz9PX29/j5+v/bAEMAGBgYGBgYKRgYKTopKSk6Tjo6OjpOY05OTk5OY3djY2Nj
+Y2N3d3d3d3d3d4+Pj4+Pj6enp6enu7u7u7u7u7u7u//bAEMBHR8fMCwwUiwsUsSF
+bYXExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTExMTE
+xMTExP/dAAQACv/aAAwDAQACEQMRAD8A6KiiisiwpaSkJ4oAZK2xd3uB+fFP3CqL
+yJLbkSHG8HisFNVlKgHsNx9z7U7AdYWA6mkSRJOUIOK59NWaWHaqbpT949F/z7VU
+sbgR3u18qrZBBOMHt+FFgudLdzGC3eQdR/U4plndfaolcD6//WqvqhB0+TB5wD+R
+qvZ3QWAMdqgDCrnGcUAbmcVnS6gkc/2cAljtxj/aP9KgbVI8HjOOuCD+nWuc84rc
+iYHgMDn2z/hQkI7v2pFO5Q3rVR7qMRiUHgdacJ44lSNjzgY96Qy3RTA2VBNOBBGR
+3oAWiiigAooooA//0OiopKM1kaDZHCLk1z099I26ZT8oO1R+maXV7jcwiQ9B/Osm
+dgifZ+pRv8/zppCbFRv3ZllJI6KM9exqkW5zQWPTtTT61ZID5eRTyc1FnsacB2oE
+S+dKy7C7Y9MnH5U4TybPKzwOKreop49aBjt1OzmmH1pM8UATLM4XGSRxwfbpVn7U
+7yq7HJFZ465pwPNKwHYpdA5T0J/KpLScSbVB6Er+VctDK6knOR3rf0kFsue24/mf
+/rGpaKNyiiikAUUUUAf/0ehqmJ1G8ucYNW6x9RiIUzL34NYmhi6g+Z1kHBIz+dUC
+xJyetSzyGRuar7TWiIF69KNnekwRzTstTAYRSZqTBNBQ0AMJzQDinbDThEx7UBYY
+abVjyW9KTyW9KVwsQZpRTzGR1pmKYE0Z5ye9dZpGDbkjjnH5Vx4OK1dMuxDON5+U
+qQf5j8uaTGdlRTEdXUOpBB6EdKfUDCiiimI//9LeNU7xglu7E8AZq2TgZrldQuHe
+Z4g2VHGMYrJFsy2bJzihVJpwXJwOSa1YLcKMnrVN2ElcopbO9WksfWtFVAqUCocj
+RRKK2SCpfsielXRS0rlcqKi2kY6iphboOcVKM07mlcLFfyUHamGBSelWqaaLhYov
+aKRWbPZsvK1v1G6g1SkJxOTIIODQDg1q3duPvLWSwNaJ3MmrHW6PdRmEWxPzr0Hq
+K3M159BKY5klH8JBr0BTkAmkwQ6iiikM/9PTvLgW0Blxkjp9a493MjtK3Vjmt7WJ
+cRrF/eOfyrnh0rOJTLNsmW3GtpRxWdaKMVpgVMjSI4YpwpBTuaksdSjNIM04fWkM
+MGlwaMn1pOfWgQvNNNLk0mRQMbSGlyKQ0wK8yBl5rAnj2ua6RhkVh3Yy2auJlNFF
+CQcjgiu50+c3FqjnqBg59a4auo0OUmN4ic4OQParZmjfopKKgo//1K+sHM6DttNZ
+ArW1b/Xr/u1kjk1C2KZrWowuavCq0K7EAqcVmzVD8mnAtTBUlIoUE08ZpoFSUhiZ
+PtSZNLSgcUANyaTNPxSGgCPiilNJTAQ8isW8Ta2fWto1QvUDRFv7vNVEiS0MI8Gt
+fRiVvBjGMHP44rJYd60dLP8Apkf41ozE7SiiioKP/9WPWIsFZfwrHiGZFrodYXNs
+rf3WH68Vg2g3TAemTWa2L6mwtOLBetQySCMe9U/OYnJ61Ni7mh5oAyaVbhM4yKzy
+0j9ttHk9807BzGykit0qUc1kRqyHg1pRvxSaKTJsU7GBTAc04nApDIJZ1j6mqhvF
+PXipZVDnmqbxxCqSJbZbWZW6HNO8wd6zeF+4/wCdG6T6j2osHMaoORUTjcpHrVaO
+Q9KtZyuaQXOdbgkelWdPYLdxk9N39Krz8SsPeruloHvVHpk/lWhkdoKKQcDFFQM/
+/9a9frvtJB7VzliMyk+1dDfcwe2awrFSJGz2H9ayWxZYkXcxzUJB3bE61dI71Sfc
+WITigqxII4x985PuaUxREfKPxFUriLYFI5z3qOEFpEVMjOAfr3p2DmLoZozg8irU
+cmelQFSjbJOR605UKHjpSGa0RyKbI2KjibApshzUlFaRz0FQAKT83NWGUDk9aqyR
+M0bt3A4FUInDxDg4pTGpG5P0rHABUrjnOc+3pWgsLxojocNjkU7EqVyyq7utTKMD
+FNiORzU2Kkqxg3sZSYn15p+nytFdK6jJwR+dT6kn3X/Co7GMjMntirvoZ21Ostrg
+XAPGCvWrOKzNNHDmtSpG1qf/1714u+3YfSsm2Qo0hPritqbmJvpWXGeD9ayNUPIz
+ULJg5qegipLsVmAYYYZFIixocooB9asbAaXZTuFiH8KDyamI2iowKAJlHFBGacvS
+jvSKIskcUzOO1TY5p/lg8igViqI06hFz64qTGal2CnBR2p3FYaq4p9OApp4pDsU7
+5N0Deo5FNtVAiVfQCprk/uW9xinRrsRVPYVXQlLU0LBdqt9a0c1UtR+7OPWrVBMt
+z//Q05P9W30NZKHlhWs43KR6isjOGH5GsTVE1LTAafmkWhRS02jNBQjc02lagDNA
+iRTR3p6IO9DAUDEI70vOKapwcGpCOKAQ2lFNGaXNAx1MY0uaYxoJZBMN21PU5/Kp
+B8zZ/hFAXcTnpjFTKuflUfSmJGjajEP1JqxTUXYgT0FOpmbP/9HUNZlxHh9/Y1pG
+oyAeDWRpczgafUfQkU8Ui0OpV5NIKkXikURyEAiq3musmMZX1qw+D1qttweKaJZZ
+E1RyySkfusZ9TQExyakCfLntTC4kbMRhutWx0quuF6VMrA1LGgIppqWojQMKYadT
+DQIegOOAav28LKd78egotP8AUj6mrVUQ5dB1FJRQSf/S0mplPamVkWUJRiQimipb
+gYYN68VEDSZaJBSs2OlNB4zULS7OTRYdxSSacAOpqobjJwoNIJjn5lNOwI0D83Q0
+uVVdpNZ3m85UGnrI/XaaLFWLwIo6dKo7pT2FPDzZwoosJo0FbtQ1VkZs89asMcgU
+mhXGmm0tNwScDvQM1LcYhX86s1Eo2gKO3FPFMyHUtJRQB//T0mqOpDUZrIsilXeh
+HfqKog9q0aoyrsfI6GgaYqHsaYyAtzSr60ueaRRGVU9aQIOxqQgmmmLPTNBSY4Lj
+0p2D6ioPJb1PFOWF/wC8aY+ckCZ6mngBeBTVhYHrUoAX60hOQ0rzmnseKQ0hPGKC
+RCeKmtk3Sbz0X+dVuScVJDfQxO0Eg27OrdqaQmzXpwpikMAw5Bp4oJHUUlLQB//U
+0jURqQ1FWRYVFIocbTUlNNMCiPlO09RS5BNRswkd8fwnFR7iODSsO5aB4p2arBhU
+qsOlKw7k1ANN3cUAgcGgZLnim5pu4Gk3CiwXH0xjxURkycClCnrTsTcmQdzWLc/6
+9z6nH6VuqOM1h3IzJNzjkH9BVRCWxY0y6dbgK7Eq/BB9exrqhXKWMaYfJBJPTuPQ
+j6GunQkqC3Xv9aJEolpaZmlzUjP/1b5php1MNZFiVBOxWMlcZ7ZqY1UuwDGc+lNC
+ZnWZwHU9c1Zcd6o2f33rRbpTe41sVyvpSh2FLTT3oAeJDS+YfSoqUUAP3t0FKAzd
+aFqwoFACKoA4qULk4ph61OnSpGhTwMVh3OfMYrxmtlu9Y1x/rDQhsk09gsyhuQeC
+PWukiJBaNjll4P19axlAFohHtWhbH959VH9a0lsZrcv0tJRWRR//2YkCTgQTAQgA
+OBYhBLW13TMhQq1lfo2HrH0n5hC4o9xSBQJgN4HxAhsDBQsJCAcCBhUKCQgLAgQW
+AgMBAh4BAheAAAoJEH0n5hC4o9xSm/AQAM1VQ6ulVGptsosNJYB+HigxIMZiXtIn
+tddo1oJ2HzucgHGF2VJemu5m2NxKrckNQdlO5AvYiD3cGsx1GCcUCqrVJnpVSzn0
+x2vAUd5Iu5AO6VLuWfz6lLzLYFmR7le1eEVV9PWpiFo5JmhCxFlmzbJ/LXg2rm+b
+gGwYg9PaW4zeJR721BE0YYzAdiiyih0oYQqm1rIpp5+rzHL34UeajNU8krcViWDv
+Q6qSKnkk4RQzzWWo5ByjDxB9UBF5eX1Ls/CyFzCpsNaPooKAxC1MQy53GrQIN4Wq
+Y73BMsfEutMvdWxgL5/zWKIS5Fd+hD9wTtOotu00PzamCq+5CnsggILpJenrHWSR
+6xoSgBL6iYjAq1DaLvGUv8/+gnblLkdh3A9+lCqqb45yAbBlZS4w12Jmfov+WKLS
+e464WTG0VTySkShhrwHKWkekXzCusx8nIow1FKo257N97fMLJFWRlBhCHcgtoYmq
+3a49CUndqAmM9MT1/8RX21xUq/vI3aTSXqnjgo+y5EMKNM6Q8u0KgVvxzNRyoyh6
+cJWgW+lXM55X8M1SDBruQBfTF2lnJbxq02hXyuDhWbtuhLCs01z3AxO42PZVuwqI
+/U7chZGzC2e02DPY0TVwbGJU6SEKg6wrZEeAzH7igRWR2AHGUEX0AzEkZD72mvZZ
+TMtW3ci6/EGZiQIzBBMBCAAdFiEEh0AgjA6T/sgO6/kTt3xS7sIXcd0FAmA3iFkA
+CgkQt3xS7sIXcd26xQ//dvjcgYkVg0KdAUQWE0KWFwHgW5mJWyITZs5PcwkArIGh
+pJCns9CRq5EGwGQuLWvhWBAloH+qFI83ydptPoxztZoy7keK1tCdDTNhk2RLhp98
+4CP5oObh6xgpuMQ1hVtwwdhOErGpU/auHgIr4qtScvsfLlhoXHCttzvnBkgiGKi+
+bn7hH+mGS6XCDDTXggh4s3wRZ/snaqy8WcaprfK3dw5Tpgck0pexikVcyI6sbruu
+euGwbUZ5JwuFNnRQzmjPqJk6ZC3tYqPslZFBKi83HXq4T2liTSI2m8eK/gWU512G
+T4HeLlkiSMLYOJeX+gKI25StkzXBqQoVKQJVc6RG8wdv34hSdFT0h1T6xtGKmb6y
+W0c855yFrp2yefSS9+R3DFxBEqo7YtGF1J53v87GBeYnFMRw6vZnon+Kurttn8ah
+gZP0veyb1JtCgBWAS6HVb2q6k/Uw+nt++NAZbr69rtnyzyrMNVvMnuM/L1diYfD0
+bncHd1Oj8KTHmFj7J9He2ytelfB/MFUmnkPWtAugPtnQMTGPYyb4VsOF53QsR0+8
+bJGGI7M3tk/C03sXGfMpYMUyKK7uyGWbKg97iKXQLIoHaI3zbIYNUMh//JspxCqg
+14GbQx8yaLDdyeORn8wmgsVy9qNEsc/PHJO8644KNZJM9x1fDihztBsRbRzwjVaJ
+AjMEEgEIAB0WIQRebW6uFsPadUULIZyagE6X1wecdwUCYED2egAKCRCagE6X1wec
+d5gKD/42YYeUFgaQDABPG45afoqwyP8H1xDi6W5F47wVFwI1GdSBmIqKGhNONwYS
+toeFKcX1ed0gBbFVkwaWEFKCeo0VjWcLYE1YaxL8ybo+iVrFfd/oEHyf414uvnur
+4jNVwqUmtYQMaLlXq2a9tVAGNtsgqsZKEYBanWDXm24z5l2rDGxLlVi7xTGU3pZE
+LfTF3HvZlN3l/ggagXF+2ocT5O0vTX1OO8x0lknTqhbjTJfi+ObJxV4DyE0ifQyh
+3smBUyxZwCcF9MhRKYnEcf8gbsCPDLoiwCGz0o7cKz2blm7NsTgxZXoS0HRx0/wy
+QHS+6mIDuH1gMLeEvJUql7cdKqGAbG5QD9xGPoW6PiTpFTtVusjxD4dIvil5oth5
+r9btVNtoSysEuL13BjBkrO4JuqVZvEdHFGjNE00q6JrI/SpeBZrRR/YZvLCgUZ9J
+w9S6g/usazLEAnOs2EH37yMFA3h3Jr+8l31CkGWBlbLHWc/6ufuyYo4F98TJ7WRV
+vq2RbAMziHMkDH47iMt2PkycLhqPplzbTyVVS/2r1u1d8vfhWlznASuT0/d6cpi0
+H9L/nqe2Mkst32e/X7jr54lSfURmKC+plNn4QQY61DcaUDw5UsMvl/ieDg7OqBeI
+JVgitbDLfIC15B5oRHalAmBOE9OulvvnqxZCHdQ63XunRIbviw==
+=+Re0
+-----END PGP PUBLIC KEY BLOCK-----
+
From f679d7e4acfda0447a8e72df663eed9877bea282 Mon Sep 17 00:00:00 2001
From: Paul Caskey <pcaskey@internet2.edu>
Date: Wed, 9 Jun 2021 22:24:10 +0000
Subject: [PATCH 24/34] add attributes directory
---
configBuilder.sh | 1 +
1 file changed, 1 insertion(+)
diff --git a/configBuilder.sh b/configBuilder.sh
index 2cdc20e..3862305 100755
--- a/configBuilder.sh
+++ b/configBuilder.sh
@@ -84,6 +84,7 @@ cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.1-InCommon/conf/metadata-providers.xml $
cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.1-InCommon/conf/attribute-resolver.xml ${SHBCFG}
cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.1-InCommon/conf/attribute-filter.xml ${SHBCFG}
cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.1-InCommon/conf/logback.xml ${SHBCFG}
+cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.1-InCommon/conf/attributes/* ${SHBCFG}/attributes
cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.1-InCommon/credentials/inc-md-cert-mdq.pem ${SHBCREDS}
cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.1-InCommon/credentials/sealer.kver ${SHBCREDS}
cp -rf ${TMP_DIR_T}/shib-idp-tomcat-config-master/conf/* ${TOMCFG}
From fb11b6fe16a38437a75781b5550f15110b9bd835 Mon Sep 17 00:00:00 2001
From: Paul Caskey <pcaskey@internet2.edu>
Date: Fri, 11 Jun 2021 19:03:32 +0000
Subject: [PATCH 25/34] add views directory
---
Dockerfile.template | 2 +-
configBuilder.sh | 2 +-
2 files changed, 2 insertions(+), 2 deletions(-)
diff --git a/Dockerfile.template b/Dockerfile.template
index df6d950..57096d5 100644
--- a/Dockerfile.template
+++ b/Dockerfile.template
@@ -17,7 +17,7 @@ ADD ${TOMCERT} /opt/certs
ADD ${TOMWWWROOT} /usr/local/tomcat/webapps/ROOT
ADD ${SHBCFG} /opt/shibboleth-idp/conf
ADD ${SHBCREDS} /opt/shibboleth-idp/credentials
-#ADD ${SHBVIEWS} /opt/shibboleth-idp/views
+ADD ${SHBVIEWS} /opt/shibboleth-idp/views
#ADD ${SHBEDWAPP} /opt/shibboleth-idp/edit-webapp
#ADD ${SHBMSGS} /opt/shibboleth-idp/messages
ADD ${SHBMD} /opt/shibboleth-idp/metadata
diff --git a/configBuilder.sh b/configBuilder.sh
index 3862305..45969e8 100755
--- a/configBuilder.sh
+++ b/configBuilder.sh
@@ -84,7 +84,7 @@ cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.1-InCommon/conf/metadata-providers.xml $
cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.1-InCommon/conf/attribute-resolver.xml ${SHBCFG}
cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.1-InCommon/conf/attribute-filter.xml ${SHBCFG}
cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.1-InCommon/conf/logback.xml ${SHBCFG}
-cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.1-InCommon/conf/attributes/* ${SHBCFG}/attributes
+cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.1-InCommon/views/* ${SHBVIEWS}
cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.1-InCommon/credentials/inc-md-cert-mdq.pem ${SHBCREDS}
cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.1-InCommon/credentials/sealer.kver ${SHBCREDS}
cp -rf ${TMP_DIR_T}/shib-idp-tomcat-config-master/conf/* ${TOMCFG}
From 971bf40244b83d85d5c301898438134125be94f7 Mon Sep 17 00:00:00 2001
From: Paul Caskey <pcaskey@internet2.edu>
Date: Mon, 21 Aug 2023 17:38:55 -0500
Subject: [PATCH 26/34] Update README.md
---
README.md | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/README.md b/README.md
index e30b3c2..7af6d42 100644
--- a/README.md
+++ b/README.md
@@ -1,6 +1,6 @@
# ShibbIdP_ConfigBuilder_Container
-This container runs the configBuilder script and generates a Dockerfile (and related dependencies) along with a default TIER Shibboleth IdP config, customized based on the user's reponse to a few questions.
+This container runs the configBuilder script and generates a Dockerfile (and related dependencies) along with a default TAP Shibboleth IdP config, customized based on the user's reponse to a few questions.
The config is written to /output in the container, which users should bind-mount to a directory of their choosing (best to use an empty directory).
From 93baa9151ec1d58e862f45b44edfd2ed1855e325 Mon Sep 17 00:00:00 2001
From: Paul Caskey <pcaskey@internet2.edu>
Date: Thu, 21 Sep 2023 21:45:24 -0500
Subject: [PATCH 27/34] force version 4 in Dockerfile
---
Dockerfile.template | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Dockerfile.template b/Dockerfile.template
index 57096d5..d787700 100644
--- a/Dockerfile.template
+++ b/Dockerfile.template
@@ -1,4 +1,4 @@
-FROM tier/shib-idp:latest
+FROM tier/shib-idp:latest4
# The build args below can be used at build-time to tell the build process where to find your config files. This is for a completely burned-in config.
ARG TOMCFG=config/tomcat
From 7ebeed4959ef5ed83d62e1d027c39e5f4af498ea Mon Sep 17 00:00:00 2001
From: Paul Caskey <pcaskey@internet2.edu>
Date: Wed, 22 Nov 2023 15:02:32 +0000
Subject: [PATCH 28/34] changes for IdP 5.0
---
Dockerfile | 3 +-
Dockerfile.template | 4 +-
Jenkinsfile | 217 ++++++++++++++++++++++++++++++--------------
common.bash | 5 +-
configBuilder.sh | 91 +++++++++++--------
5 files changed, 213 insertions(+), 107 deletions(-)
diff --git a/Dockerfile b/Dockerfile
index 1d5a59f..c492cf6 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,5 @@
-FROM centos:centos7
+FROM rockylinux:8.8
+#FROM --platform=$TARGETPLATFORM rockylinux:8.8
# Install needed utils
RUN rm -fr /var/cache/yum/* && yum clean all && yum -y install --setopt=tsflags=nodocs epel-release && \
diff --git a/Dockerfile.template b/Dockerfile.template
index 57096d5..e628e2f 100644
--- a/Dockerfile.template
+++ b/Dockerfile.template
@@ -1,4 +1,4 @@
-FROM tier/shib-idp:latest
+FROM i2incommon/shib-idp:latest5
# The build args below can be used at build-time to tell the build process where to find your config files. This is for a completely burned-in config.
ARG TOMCFG=config/tomcat
@@ -22,7 +22,7 @@ ADD ${SHBVIEWS} /opt/shibboleth-idp/views
#ADD ${SHBMSGS} /opt/shibboleth-idp/messages
ADD ${SHBMD} /opt/shibboleth-idp/metadata
-# new for 4.1.0: install the Duo OIDC integration
+# new for 4.1.0+: install the Duo OIDC integration
# https://wiki.shibboleth.net/confluence/display/IDPPLUGINS/DuoOIDCAuthnConfiguration
# For unattended install of plugins, trust must be manually bootstrapped. You should never automate the retreival of this file (like this) for production.
#ADD https://github.internet2.edu/raw/docker/ShibbIdP_ConfigBuilder_Container/master/oidc-common-truststore.asc /opt/shibboleth-idp/credentials/net.shibboleth.idp.plugin.authn.duo.nimbus/truststore.asc
diff --git a/Jenkinsfile b/Jenkinsfile
index 64d4325..2b1e16e 100644
--- a/Jenkinsfile
+++ b/Jenkinsfile
@@ -1,76 +1,160 @@
-node {
- stage 'Checkout'
+pipeline {
+ agent { node { label 'docker-multi-arch' } }
+ environment {
+ maintainer = "t"
+ imagename = 's'
+ tag = 'l'
+ DOCKERHUBPW=credentials('tieradmin-dockerhub-pw')
- checkout scm
-
- stage 'Acquire util'
-
- sh 'mkdir -p tmp && mkdir -p bin'
- dir('tmp'){
- git([ url: "https://github.internet2.edu/docker/util.git",
- credentialsId: "jenkins-github-access-token" ])
- sh 'rm -rf ./bin/windows/'
- sh 'mv -f ./bin/* ../bin/.'
}
- sh 'rm -rf tmp'
+ stages {
+ stage('Setting build context') {
+ steps {
+ script {
+ maintainer = maintain()
+ imagename = imagename()
+ if(env.BRANCH_NAME == "master") {
+ tag = "latest"
+ } else {
+ tag = env.BRANCH_NAME
+ }
+ if(!imagename){
+ echo "You must define an imagename in common.bash"
+ currentBuild.result = 'FAILURE'
+ }
+ sh 'mkdir -p tmp && mkdir -p bin'
+ dir('tmp'){
+ git([ url: "https://github.internet2.edu/docker/util.git", credentialsId: "jenkins-github-access-token" ])
+ sh 'rm -rf ../bin/*'
+ sh 'mv ./bin/* ../bin/.'
+ }
+ // Build and test scripts expect that 'tag' is present in common.bash. This is necessary for both Jenkins and standalone testing.
+ // We don't care if there are more 'tag' assignments there. The latest one wins.
+ sh "echo >> common.bash ; echo \"tag=\\\"${tag}\\\"\" >> common.bash ; echo common.bash ; cat common.bash"
+ }
+ }
+ }
+ stage('Clean') {
+ steps {
+ script {
+ try{
+ sh 'bin/destroy.sh >> debug'
+ } catch(error) {
+ def error_details = readFile('./debug');
+ def message = "BUILD ERROR: There was a problem building the Base Image. \n\n ${error_details}"
+ sh "rm -f ./debug"
+ handleError(message)
+ }
+ }
+ }
+ }
+ stage('Build') {
+ steps {
+ script {
+ try{
+ sh 'docker login -u tieradmin -p $DOCKERHUBPW'
+ // fails if already exists
+ // sh 'docker buildx create --use --name multiarch --append'
+ sh 'docker buildx inspect --bootstrap'
+ sh 'docker buildx ls'
+ sh "docker buildx build --platform linux/amd64 -t ${imagename}_${tag} --load ."
+ sh "docker buildx build --platform linux/arm64 -t ${imagename}_${tag}:arm64 --load ."
+ } catch(error) {
+ def error_details = readFile('./debug');
+ def message = "BUILD ERROR: There was a problem building ${maintainer}/${imagename}:${tag}. \n\n ${error_details}"
+ sh "rm -f ./debug"
+ handleError(message)
+ }
+ }
+ }
+ }
+ stage('Scan') {
+ steps {
+ script {
+ try {
+ echo "Starting security scan..."
+ // Install trivy and HTML template
+ sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.31.1'
+ sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/html.tpl > html.tpl'
- stage 'Setting build context'
-
- def maintainer = maintainer()
- def imagename = imagename()
- def tag
-
- // Tag images created on master branch with 'latest'
- if(env.BRANCH_NAME == "master"){
- tag = "latest"
- }else{
- tag = env.BRANCH_NAME
- }
-
- if(!imagename){
- echo "You must define an imagename in common.bash"
- currentBuild.result = 'FAILURE'
- }
- if(maintainer){
- echo "Building ${imagename}:${tag} for ${maintainer}"
- }
-
- stage 'Build'
- try{
- sh 'bin/build.sh &> debug'
- } catch(error) {
- def error_details = readFile('./debug');
- def message = "BUILD ERROR: There was a problem building ${imagename}:${tag}. \n\n ${error_details}"
- sh "rm -f ./debug"
- handleError(message)
+ // Scan container for all vulnerability levels
+ echo "Scanning for all vulnerabilities..."
+ sh 'mkdir -p reports'
+ // 2 commented scans below are OS-only, in case timeout issues occur
+ sh "trivy image --timeout 10m --ignore-unfixed --vuln-type os,library --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan.html ${imagename}_${tag}"
+ // sh "trivy image --ignore-unfixed --vuln-type os --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan.html ${imagename}_${tag}"
+ sh "trivy image --timeout 10m --ignore-unfixed --vuln-type os,library --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan-arm.html ${imagename}_${tag}:arm64"
+ // sh "trivy image --ignore-unfixed --vuln-type os --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan-arm.html ${imagename}_${tag}:arm64"
+ publishHTML target : [
+ allowMissing: true,
+ alwaysLinkToLastBuild: true,
+ keepAll: true,
+ reportDir: 'reports',
+ reportFiles: 'container-scan.html',
+ reportName: 'Security Scan',
+ reportTitles: 'Security Scan'
+ ]
+ publishHTML target : [
+ allowMissing: true,
+ alwaysLinkToLastBuild: true,
+ keepAll: true,
+ reportDir: 'reports',
+ reportFiles: 'container-scan-arm.html',
+ reportName: 'Security Scan (ARM)',
+ reportTitles: 'Security Scan (ARM)'
+ ]
+ // Scan again and fail on CRITICAL vulns
+ //below can be temporarily commented to prevent build from failing
+ echo "Scanning for CRITICAL vulnerabilities only (fatal)..."
+ // 2 scans below are temp (os scan only, no lib scan), while timeout issues are worked
+ // sh "trivy image --ignore-unfixed --vuln-type os,library --exit-code 1 --severity CRITICAL ${imagename}_${tag}"
+ // sh "trivy image --ignore-unfixed --vuln-type os,library --exit-code 1 --severity CRITICAL ${imagename}_${tag}:arm64"
+ sh "trivy image --ignore-unfixed --vuln-type os --exit-code 1 --severity CRITICAL ${imagename}_${tag}"
+ sh "trivy image --ignore-unfixed --vuln-type os --exit-code 1 --severity CRITICAL ${imagename}_${tag}:arm64"
+ //echo "Skipping scan for CRITICAL vulnerabilities (temporary)..."
+ } catch(error) {
+ def error_details = readFile('./debug');
+ def message = "BUILD ERROR: There was a problem scanning ${imagename}:${tag}. \n\n ${error_details}"
+ sh "rm -f ./debug"
+ handleError(message)
+ }
+ }
+ }
+ }
+ stage('Push') {
+ steps {
+ script {
+ sh 'docker login -u tieradmin -p $DOCKERHUBPW'
+ // fails if already exists
+ // sh 'docker buildx create --use --name multiarch --append'
+ sh 'docker buildx inspect --bootstrap'
+ sh 'docker buildx ls'
+ echo "Pushing image to dockerhub..."
+ sh "docker buildx build --push --platform linux/arm64,linux/amd64 -t ${maintainer}/${imagename}:${tag} ."
+ }
+ }
+ }
+ stage('Notify') {
+ steps{
+ echo "$maintainer"
+ slackSend color: 'good', message: "$maintainer/$imagename:$tag pushed to DockerHub"
+ }
+ }
}
-
-/* stage 'Tests'
-
- try{
- sh 'bin/test.sh &> debug'
- } catch(error) {
- def error_details = readFile('./debug');
- def message = "BUILD ERROR: There was a problem building ${imagename}:${tag}. \n\n ${error_details}"
- sh "rm -f ./debug"
- handleError(message)
- }*/
-
- stage 'Push'
-
- docker.withRegistry('https://registry.hub.docker.com/', "dockerhub-$maintainer") {
- def baseImg = docker.build("$maintainer/$imagename")
- baseImg.push("$tag")
+ post {
+ always {
+ echo 'Done Building.'
+ }
+ failure {
+ // slackSend color: 'good', message: "Build failed"
+ handleError("BUILD ERROR: There was a problem building ${maintainer}/${imagename}:${tag}.")
+ }
}
-
- stage 'Notify'
-
- slackSend color: 'good', message: "$maintainer/$imagename:$tag pushed to DockerHub"
-
}
-def maintainer() {
+
+def maintain() {
def matcher = readFile('common.bash') =~ 'maintainer="(.+)"'
matcher ? matcher[0][1] : 'tier'
}
@@ -84,6 +168,7 @@ def handleError(String message){
echo "${message}"
currentBuild.setResult("FAILED")
slackSend color: 'danger', message: "${message}"
- //step([$class: 'Mailer', notifyEveryUnstableBuild: true, recipients: 'chubing@internet2.edu', sendToIndividuals: true])
+ //step([$class: 'Mailer', notifyEveryUnstableBuild: true, recipients: 'pcaskey@internet2.edu', sendToIndividuals: true])
sh 'exit 1'
}
+
diff --git a/common.bash b/common.bash
index e630b3b..6412aed 100644
--- a/common.bash
+++ b/common.bash
@@ -1,5 +1,6 @@
registry="docker.io"
-maintainer="tier"
+maintainer="i2incommon"
+previous_maintainer="tier"
basename="shibbidp_configbuilder_container"
imagename="shibbidp_configbuilder_container"
-version="0.7"
+version="0.8"
diff --git a/configBuilder.sh b/configBuilder.sh
index 45969e8..505cdf3 100755
--- a/configBuilder.sh
+++ b/configBuilder.sh
@@ -7,9 +7,11 @@ cd /scriptrun
# script config items
-SHB_CFG_URL=https://github.internet2.edu/docker/shib-idp-conftree/archive/4.1-InCommon.zip
-TOM_CFG_URL=https://github.internet2.edu/docker/shib-idp-tomcat-config/archive/master.zip
-TMP_DIR_S=/tmp/4.1-InCommon
+#SHB_CFG_URL=https://github.internet2.edu/docker/shib-idp-conftree/archive/4.1-InCommon.zip
+SHB_CFG_URL=https://github.internet2.edu/docker/shib-idp-conftree/archive/refs/heads/5.0-InCommon.zip
+#TOM_CFG_URL=https://github.internet2.edu/docker/shib-idp-tomcat-config/archive/master.zip
+TOM_CFG_URL=https://github.internet2.edu/docker/shib-idp-tomcat-config/archive/refs/heads/tomcat10-1.zip
+TMP_DIR_S=/tmp/5.0-InCommon
TMP_DIR_T=/tmp/tomcfg
TMP_DIR_D=/tmp/buildfiles
@@ -78,17 +80,17 @@ unzip -o -d ${TMP_DIR_T} ${TMP_DIR_T}.zip > /dev/null 2>&1
### cp relevant folders from expanded zip to appropriate locations at $PWD/* ###
################################################################################
#
-cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.1-InCommon/conf/idp.properties ${SHBCFG}
-cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.1-InCommon/conf/ldap.properties ${SHBCFG}
-cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.1-InCommon/conf/metadata-providers.xml ${SHBCFG}
-cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.1-InCommon/conf/attribute-resolver.xml ${SHBCFG}
-cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.1-InCommon/conf/attribute-filter.xml ${SHBCFG}
-cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.1-InCommon/conf/logback.xml ${SHBCFG}
-cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.1-InCommon/views/* ${SHBVIEWS}
-cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.1-InCommon/credentials/inc-md-cert-mdq.pem ${SHBCREDS}
-cp -rf ${TMP_DIR_S}/shib-idp-conftree-4.1-InCommon/credentials/sealer.kver ${SHBCREDS}
-cp -rf ${TMP_DIR_T}/shib-idp-tomcat-config-master/conf/* ${TOMCFG}
-cp -rf ${TMP_DIR_T}/shib-idp-tomcat-config-master/wwwroot/* ${TOMWWWROOT}
+cp -rf ${TMP_DIR_S}/shib-idp-conftree-5.0-InCommon/conf/idp.properties ${SHBCFG}
+cp -rf ${TMP_DIR_S}/shib-idp-conftree-5.0-InCommon/conf/ldap.properties ${SHBCFG}
+cp -rf ${TMP_DIR_S}/shib-idp-conftree-5.0-InCommon/conf/metadata-providers.xml ${SHBCFG}
+cp -rf ${TMP_DIR_S}/shib-idp-conftree-5.0-InCommon/conf/attribute-resolver.xml ${SHBCFG}
+cp -rf ${TMP_DIR_S}/shib-idp-conftree-5.0-InCommon/conf/attribute-filter.xml ${SHBCFG}
+cp -rf ${TMP_DIR_S}/shib-idp-conftree-5.0-InCommon/conf/logback.xml ${SHBCFG}
+cp -rf ${TMP_DIR_S}/shib-idp-conftree-5.0-InCommon/views/* ${SHBVIEWS}
+cp -rf ${TMP_DIR_S}/shib-idp-conftree-5.0-InCommon/credentials/inc-md-cert-mdq.pem ${SHBCREDS}
+cp -rf ${TMP_DIR_S}/shib-idp-conftree-5.0-InCommon/credentials/sealer.kver ${SHBCREDS}
+cp -rf ${TMP_DIR_T}/shib-idp-tomcat-config-tomcat10-1/conf/* ${TOMCFG}
+cp -rf ${TMP_DIR_T}/shib-idp-tomcat-config-tomcat10-1/wwwroot/* ${TOMWWWROOT}
#####################################################
@@ -287,30 +289,47 @@ openssl x509 -req -days 1825 -in idp-encryption.csr -signkey idp-encryption.key
#
cp *.key *.crt ../${SHBCREDS}
+
+
+
+
+
+
# build self-signed cert for Tomcat to use with https
#
# ensure keytool
-command -v keytool >/dev/null 2>&1 || { echo >&2 "ERROR: keytool is required, but doesn't appear to be installed. Aborting..."; exit 1; }
+#command -v keytool >/dev/null 2>&1 || { echo >&2 "ERROR: keytool is required, but doesn't appear to be installed. Aborting..."; exit 1; }
+#
+#if test -f ssl_keystore.jks; then
+# mv ssl_keystore.jks ssl_keystore.jks.old
+#fi
+#
+#cat > data.conf << EOF
+#${FQDN}
+#SUBJ_OU
+#SUBJ_O
+#SUBJ_CITY
+#SUBJ_STATE
+#SUBJ_COUNTRY
+#yes
+#
+#
+#EOF
+#
+#STOREPWD=$(uuidgen)
+#keytool -genkey -keyalg RSA -alias selfsigned -keystore ssl_keystore.jks -storepass $STOREPWD -validity 360 -keysize 2048 < data.conf >> ${LOGFILE} 2>&1
+#cp ssl_keystore.jks ../${TOMCERT}/keystore.jks
-if test -f ssl_keystore.jks; then
- mv ssl_keystore.jks ssl_keystore.jks.old
-fi
+# new https cert/key (PEM)
+openssl req -new -nodes -newkey rsa:2048 -subj "/commonName=${FQDN}" -batch -keyout idp-https.key -out idp-https.csr >> ${LOGFILE} 2>&1
+openssl x509 -req -days 365 -in idp-https.csr -signkey idp-https.key -out idp-https.crt >> ${LOGFILE} 2>&1
+#
+rm -f idp-https.csr
+cp idp-https.* ../${TOMCERT}
-cat > data.conf << EOF
-${FQDN}
-SUBJ_OU
-SUBJ_O
-SUBJ_CITY
-SUBJ_STATE
-SUBJ_COUNTRY
-yes
-EOF
-STOREPWD=$(uuidgen)
-keytool -genkey -keyalg RSA -alias selfsigned -keystore ssl_keystore.jks -storepass $STOREPWD -validity 360 -keysize 2048 < data.conf >> ${LOGFILE} 2>&1
-cp ssl_keystore.jks ../${TOMCERT}/keystore.jks
#
# OK, next build the shibboleth sealer java keystore
@@ -429,12 +448,12 @@ EOF
# configure SSL keystore password in tomcat's config file:
# conf/tomcat/server.xml replace: keystorePass="password"
#
-echo "Updating Tomcat's server.xml with the generated password"
-
-if test \! -f ${TOMCFG}/server.xml.dist; then
- cp ${TOMCFG}/server.xml ${TOMCFG}/server.xml.dist
-fi
-sed "s#keystorePass=\"password\"#keystorePass=\"${STOREPWD}\"#" ${TOMCFG}/server.xml.dist > ${TOMCFG}/server.xml
+#echo "Updating Tomcat's server.xml with the generated password"
+#
+#if test \! -f ${TOMCFG}/server.xml.dist; then
+# cp ${TOMCFG}/server.xml ${TOMCFG}/server.xml.dist
+#fi
+#sed "s#keystorePass=\"password\"#keystorePass=\"${STOREPWD}\"#" ${TOMCFG}/server.xml.dist > ${TOMCFG}/server.xml
#
From 0c375004bf4f0eefad9f4d2f7f6eeed3c3c6a0f4 Mon Sep 17 00:00:00 2001
From: Paul Caskey <pcaskey@internet2.edu>
Date: Wed, 22 Nov 2023 15:06:12 +0000
Subject: [PATCH 29/34] bug fix
---
Jenkinsfile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Jenkinsfile b/Jenkinsfile
index 2b1e16e..37ea54f 100644
--- a/Jenkinsfile
+++ b/Jenkinsfile
@@ -17,7 +17,7 @@ pipeline {
if(env.BRANCH_NAME == "master") {
tag = "latest"
} else {
- tag = env.BRANCH_NAME
+ tag = env.BRANCH_NAME.toLowerCase()
}
if(!imagename){
echo "You must define an imagename in common.bash"
From aa8fff9ed52b5202eb2e52a29e1130518fdba706 Mon Sep 17 00:00:00 2001
From: Paul Caskey <pcaskey@internet2.edu>
Date: Wed, 22 Nov 2023 15:08:34 +0000
Subject: [PATCH 30/34] fix Dockerfile multiarch
---
Dockerfile | 3 +--
1 file changed, 1 insertion(+), 2 deletions(-)
diff --git a/Dockerfile b/Dockerfile
index c492cf6..d59fefc 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,5 +1,4 @@
-FROM rockylinux:8.8
-#FROM --platform=$TARGETPLATFORM rockylinux:8.8
+FROM --platform=$TARGETPLATFORM rockylinux:8.8
# Install needed utils
RUN rm -fr /var/cache/yum/* && yum clean all && yum -y install --setopt=tsflags=nodocs epel-release && \
From c358fbadd4a158888bf4cbf39aa2481ad83455cc Mon Sep 17 00:00:00 2001
From: Paul Caskey <pcaskey@internet2.edu>
Date: Wed, 22 Nov 2023 15:14:38 +0000
Subject: [PATCH 31/34] remove Java install
---
Dockerfile | 33 +++++++++------------------------
1 file changed, 9 insertions(+), 24 deletions(-)
diff --git a/Dockerfile b/Dockerfile
index d59fefc..923069c 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -7,32 +7,17 @@ RUN rm -fr /var/cache/yum/* && yum clean all && yum -y install --setopt=tsflags=
# Install Corretto Java JDK
#Corretto download page: https://docs.aws.amazon.com/corretto/latest/corretto-11-ug/downloads-list.html
-ARG CORRETTO_URL_PERM=https://corretto.aws/downloads/latest/amazon-corretto-11-x64-linux-jdk.rpm
-ARG CORRETTO_RPM=amazon-corretto-11-x64-linux-jdk.rpm
-COPY corretto-signing-key.pub .
-RUN curl -O -L $CORRETTO_URL_PERM \
- && rpm --import corretto-signing-key.pub \
- && rpm -K $CORRETTO_RPM \
- && rpm -i $CORRETTO_RPM \
- && rm -r corretto-signing-key.pub $CORRETTO_RPM
-ENV JAVA_HOME=/usr/lib/jvm/java-11-amazon-corretto
+#ARG CORRETTO_URL_PERM=https://corretto.aws/downloads/latest/amazon-corretto-11-x64-linux-jdk.rpm
+#ARG CORRETTO_RPM=amazon-corretto-11-x64-linux-jdk.rpm
+#COPY corretto-signing-key.pub .
+#RUN curl -O -L $CORRETTO_URL_PERM \
+# && rpm --import corretto-signing-key.pub \
+# && rpm -K $CORRETTO_RPM \
+# && rpm -i $CORRETTO_RPM \
+# && rm -r corretto-signing-key.pub $CORRETTO_RPM
+#ENV JAVA_HOME=/usr/lib/jvm/java-11-amazon-corretto
-#download/install Azul Java
-#ENV JAVA_HOME /usr
-
-# Install Zulu Java
-#RUN rpm --import http://repos.azulsystems.com/RPM-GPG-KEY-azulsystems \
-# && curl -o /etc/yum.repos.d/zulu.repo http://repos.azulsystems.com/rhel/zulu.repo \
-# && yum -y install zulu-8 && alternatives --install /usr/bin/java java $JAVA_HOME/bin/java 200000
-
-#RUN wget -nv --no-cookies --no-check-certificate "http://javadl.oracle.com/webapps/download/AutoDL?BundleId=233161_512cd62ec5174c3487ac17c61aaa89e8" -O /tmp/jre-8u171-linux-x64.rpm && \
-# yum -y install /tmp/jre-8u171-linux-x64.rpm && \
-# rm -f /tmp/jre-8u171-linux-x64.rpm && \
-# alternatives --install /usr/bin/java jar $JAVA_HOME/bin/java 200000 && \
-# alternatives --install /usr/bin/javaws javaws $JAVA_HOME/bin/javaws 200000 && \
-# alternatives --install /usr/bin/javac javac $JAVA_HOME/bin/javac 200000
-
#copy files
RUN mkdir -p /output && mkdir -p /scriptrun
COPY configBuilder.sh /scriptrun
From 379974181c107ec65c33be2e7fb16411e991271d Mon Sep 17 00:00:00 2001
From: Paul Caskey <pcaskey@internet2.edu>
Date: Wed, 17 Jan 2024 16:44:57 +0000
Subject: [PATCH 32/34] add openjdk for keytool support
---
Dockerfile | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/Dockerfile b/Dockerfile
index 923069c..559c0d4 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -2,7 +2,7 @@ FROM --platform=$TARGETPLATFORM rockylinux:8.8
# Install needed utils
RUN rm -fr /var/cache/yum/* && yum clean all && yum -y install --setopt=tsflags=nodocs epel-release && \
- yum -y install wget zip unzip rsync openssl && \
+ yum -y install wget zip unzip rsync openssl java-latest-openjdk && \
yum -y clean all
# Install Corretto Java JDK
From 0e85cd1cd1e85855b09849647a3e988affee1bce Mon Sep 17 00:00:00 2001
From: Paul Caskey <pcaskey@internet2.edu>
Date: Thu, 18 Jan 2024 16:06:46 +0000
Subject: [PATCH 33/34] add idp logout to generated metadata
---
configBuilder.sh | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/configBuilder.sh b/configBuilder.sh
index 505cdf3..02522f5 100755
--- a/configBuilder.sh
+++ b/configBuilder.sh
@@ -374,6 +374,11 @@ $CERT
</ds:X509Data>
</ds:KeyInfo>
</KeyDescriptor>
+
+ <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="$BASEURL/idp/profile/SAML2/Redirect/SLO"/>
+ <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="$BASEURL/idp/profile/SAML2/POST/SLO"/>
+ <SingleLogoutService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="$BASEURL/idp/profile/SAML2/POST-SimpleSign/SLO"/>
+
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="$BASEURL/idp/profile/SAML2/Redirect/SSO"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="$BASEURL/idp/profile/SAML2/POST/SSO"/>
<SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="$BASEURL/idp/profile/SAML2/POST-SimpleSign/SSO"/>
From efc6f6c846c58f11e593ad47a50a3e1d61e52aa3 Mon Sep 17 00:00:00 2001
From: Paul Riddle <paulr@umbc.edu>
Date: Tue, 18 Feb 2025 10:55:52 -0500
Subject: [PATCH 34/34] Add several config files to Docker build area
---
configBuilder.sh | 5 +++++
1 file changed, 5 insertions(+)
diff --git a/configBuilder.sh b/configBuilder.sh
index 02522f5..aabf581 100755
--- a/configBuilder.sh
+++ b/configBuilder.sh
@@ -86,6 +86,11 @@ cp -rf ${TMP_DIR_S}/shib-idp-conftree-5.0-InCommon/conf/metadata-providers.xml $
cp -rf ${TMP_DIR_S}/shib-idp-conftree-5.0-InCommon/conf/attribute-resolver.xml ${SHBCFG}
cp -rf ${TMP_DIR_S}/shib-idp-conftree-5.0-InCommon/conf/attribute-filter.xml ${SHBCFG}
cp -rf ${TMP_DIR_S}/shib-idp-conftree-5.0-InCommon/conf/logback.xml ${SHBCFG}
+cp -rf ${TMP_DIR_S}/shib-idp-conftree-5.0-InCommon/conf/authn/ ${SHBCFG}
+cp -rf ${TMP_DIR_S}/shib-idp-conftree-5.0-InCommon/conf/attributes/ ${SHBCFG}
+cp -rf ${TMP_DIR_S}/shib-idp-conftree-5.0-InCommon/conf/credentials.xml ${SHBCFG}
+cp -rf ${TMP_DIR_S}/shib-idp-conftree-5.0-InCommon/conf/relying-party.xml ${SHBCFG}
+cp -rf ${TMP_DIR_S}/shib-idp-conftree-5.0-InCommon/conf/saml-nameid.xml ${SHBCFG}
cp -rf ${TMP_DIR_S}/shib-idp-conftree-5.0-InCommon/views/* ${SHBVIEWS}
cp -rf ${TMP_DIR_S}/shib-idp-conftree-5.0-InCommon/credentials/inc-md-cert-mdq.pem ${SHBCREDS}
cp -rf ${TMP_DIR_S}/shib-idp-conftree-5.0-InCommon/credentials/sealer.kver ${SHBCREDS}