From eeda69876347a6e4459b07776f894496c70604ec Mon Sep 17 00:00:00 2001 From: Paul Caskey Date: Thu, 26 Apr 2018 17:15:51 -0400 Subject: [PATCH] make secrets optional --- Dockerfile | 7 ++- common.bash | 2 +- configBuilder.sh | 148 ++++++++++++++++++++++++----------------------- 3 files changed, 82 insertions(+), 75 deletions(-) diff --git a/Dockerfile b/Dockerfile index 41f4001..0806af3 100644 --- a/Dockerfile +++ b/Dockerfile @@ -7,9 +7,10 @@ RUN rm -fr /var/cache/yum/* && yum clean all && yum -y install --setopt=tsflags= #download/install JRE ENV JAVA_HOME /usr/java/latest -RUN wget -nv --no-cookies --no-check-certificate "http://javadl.oracle.com/webapps/download/AutoDL?BundleId=225344_090f390dda5b47b9b721c7dfaa008135" -O /tmp/jre-8u144-linux-x64.rpm && \ - yum -y install /tmp/jre-8u144-linux-x64.rpm && \ - rm -f /tmp/jre-8u144-linux-x64.rpm && \ + +RUN wget -nv --no-cookies --no-check-certificate "http://javadl.oracle.com/webapps/download/AutoDL?BundleId=233161_512cd62ec5174c3487ac17c61aaa89e8" -O /tmp/jre-8u171-linux-x64.rpm && \ + yum -y install /tmp/jre-8u171-linux-x64.rpm && \ + rm -f /tmp/jre-8u171-linux-x64.rpm && \ alternatives --install /usr/bin/java jar $JAVA_HOME/bin/java 200000 && \ alternatives --install /usr/bin/javaws javaws $JAVA_HOME/bin/javaws 200000 && \ alternatives --install /usr/bin/javac javac $JAVA_HOME/bin/javac 200000 diff --git a/common.bash b/common.bash index b66d462..bb76b27 100644 --- a/common.bash +++ b/common.bash @@ -2,4 +2,4 @@ registry="docker.io" maintainer="tier" basename="shibbidp_configbuilder_container" imagename="shibbidp_configbuilder_container" -version="0.1" +version="0.2" diff --git a/configBuilder.sh b/configBuilder.sh index 8a9bfdf..bd86207 100644 --- a/configBuilder.sh +++ b/configBuilder.sh @@ -43,6 +43,7 @@ LDAPPWD=None SEALERPWD=None TIER_TESTBED=None BURNMOUNT=None +USESECRETS=None ################################## @@ -73,7 +74,7 @@ LINUX | linux) echo "Getting build files for a Linux container" wget -q -O ${TMP_DIR_D}.zip ${LINUX_BUILD_FILES_URL} > /dev/null unzip -o -d ${TMP_DIR_D} ${TMP_DIR_D}.zip > /dev/null 2>&1 - cp -rf ${TMP_DIR_D}/shib-idp_noVM-master/* /output + cp -rf ${TMP_DIR_D}/shib-idp-master/* /output ;; WINDOWS | windows) echo "Getting build files for a Windows container" @@ -90,7 +91,7 @@ esac rm -f /output/configBuilder.sh > /dev/null 2>&1 rm -f /output/setup.log > /dev/null 2>&1 rm -f /output/README.md > /dev/null 2>&1 -rm -rf /output/shib-idp_noVM-master/* +rm -rf /output/shib-idp-master/* #grab copy of Dockerfile in working dir cp -f /output/Dockerfile . @@ -325,34 +326,50 @@ while [ ${LDAPPWD} == "None" ]; do done -# -# Ask the installer about burned versus mountedd config -# -#echo "" -#echo "Would you like your Shibboleth IdP containers to utilize a " -#echo "Shibboleth config which has been \"burned\" (copied) into each " -#echo "container, or would you like your IdP containers to instead " -#echo "mount all of their configuration from the container host's local " -#echo "filesystem or would you like to use a hybrid config utilizing secrets (requires a swarm)?" -#echo "" -#while [ ${BURNMOUNT} == "None" ]; do -# echo -n "Please select your choice (please enter either \"burn\" or \"mount\" or \"hybrid\", if you aren't sure, enter hybrid): " -# read response -# case $response in -# Mount|mount|M|m) -# BURNMOUNT=mount -# ;; -# Burn|burn|B|b) -# BURNMOUNT=burn -# ;; -# Hybrid|hybrid|H|h) - BURNMOUNT=hybrid -# ;; -# *) -# echo "You must choose either \"burn\" or \"mount\" or \"hybrid\"." -# esac -#done -#echo "Burn/Mount option choice is: $BURNMOUNT" +####################### +## ask about secrets ## +####################### +cat << EOF + + +*********************************************************************************** +*********************************************************************************** + ==> The next question deals with the use of 'secrets' in your container. + +Secrets are files that contain senstivie information such as passwords or keys. The following files are considered 'secrets': +idp.properties +ldap.properties +attribute-resolver.xml +attribute-filter.xml +relying-party.xml +metadata-providers.xml +idp-signing.key +idp-signing.crt +idp-encryption.key +idp-encryption.crt +sealer.jks +sealer.kver +keystore.jks (Tomcat SSL) + +If you answer yes/y to this question, the files listed above will be removed from the directories containing the other configuration files (intended to be burned into the container), and placed into a folder named 'SECRETS'. You can then use these files with your container orchestration system to overlay the relevant files in your running containers. + +If you answer no/n to this question, your configuration (intended to be burned into the container) will contain all config files, including those with sensitive information. +EOF +while [ ${USESECRETS} == "None" ]; do + echo -n "Would you like to isolate "secrets" from your generated Shibb IdP configuration? " + read yesno + case $yesno in + Yes|yes|Y|y) + USESECRETS=YES + BURNMOUNT=hybrid + ;; + No|no|N|n) + USESECRETS=NO + BURNMOUNT=burn + ;; + esac +done + ############################################################ @@ -524,7 +541,7 @@ rm -f docker_edit.sed if [ ${BURNMOUNT} == "burn" ] || [ ${BURNMOUNT} == "hybrid" ]; then - echo "Configuring Docker for burned-in configuration." + echo "Configuring Docker for burned-in/hybrid configuration." mv -f Dockerfile Dockerfile.setup cat < docker_edit.sed @@ -550,43 +567,32 @@ fi sed "s#keystorePass=\"password\"#keystorePass=\"${STOREPWD}\"#" ${TOMCFG}/server.xml.dist > ${TOMCFG}/server.xml -# if the user chose a hybrid config, then generate a directory containing the config with secrets removed -# copy files -if [ ${BURNMOUNT} == "hybrid" ]; then +# if the user chose to use secrets, then generate a directory containing the config with secrets removed +if [ ${USESECRETS} == "YES" ]; then echo "" - echo "Creating sanitized config for hybrid build..." + echo "Creating sanitized config for use with secrets..." echo "" destPath=${PWD} - #destPathName=ConfigNoSecrets - # check for rsync - #command -v rsync >/dev/null 2>&1 || { echo >&2 "ERROR: rsync is required, but doesn't appear to be installed. Aborting..."; exit 1; } - #rsync -a . ${destPath} --exclude ${destPathName} mkdir -p ${destPath}/SECRETS -# rm -f ${destPath}/Dockerfile -# rm -f ${destPath}/configBuilder.sh -# rm -f ${destPath}/setup.log - - # move secrets -mv -f $destPath/config/shib-idp/conf/idp.properties $destPath/SECRETS/idp.properties > /dev/null -mv -f $destPath/config/shib-idp/conf/ldap.properties $destPath/SECRETS/ldap.properties > /dev/null -mv -f $destPath/credentials/shib-idp/sealer.jks $destPath/SECRETS/sealer.jks > /dev/null -mv -f $destPath/credentials/shib-idp/sealer.kver $destPath/SECRETS/sealer.kver > /dev/null -mv -f $destPath/credentials/shib-idp/idp-signing.key $destPath/SECRETS/idp-signing.key > /dev/null -mv -f $destPath/credentials/shib-idp/idp-signing.crt $destPath/SECRETS/idp-signing.crt > /dev/null -mv -f $destPath/credentials/shib-idp/idp-encryption.key $destPath/SECRETS/idp-encryption.key > /dev/null -mv -f $destPath/credentials/shib-idp/idp-encryption.crt $destPath/SECRETS/idp-encryption.crt > /dev/null -mv -f $destPath/credentials/tomcat/keystore.jks $destPath/SECRETS/keystore.jks > /dev/null -mv -f $destPath/config/shib-idp/conf/relying-party.xml $destPath/SECRETS/relying-party.xml > /dev/null -mv -f $destPath/config/shib-idp/conf/attribute-filter.xml $destPath/SECRETS/attribute-filter.xml > /dev/null -mv -f $destPath/config/shib-idp/conf/attribute-resolver.xml $destPath/SECRETS/attribute-resolver.xml > /dev/null -mv -f $destPath/config/shib-idp/conf/metadata-providers.xml $destPath/SECRETS/metadata-providers.xml > /dev/null - -echo "" -echo "Your 'secrets' were removed from the main config and stored in the 'SECRETS' directory" -echo "" + mv -f $destPath/config/shib-idp/conf/idp.properties $destPath/SECRETS/idp.properties > /dev/null + mv -f $destPath/config/shib-idp/conf/ldap.properties $destPath/SECRETS/ldap.properties > /dev/null + mv -f $destPath/credentials/shib-idp/sealer.jks $destPath/SECRETS/sealer.jks > /dev/null + mv -f $destPath/credentials/shib-idp/sealer.kver $destPath/SECRETS/sealer.kver > /dev/null + mv -f $destPath/credentials/shib-idp/idp-signing.key $destPath/SECRETS/idp-signing.key > /dev/null + mv -f $destPath/credentials/shib-idp/idp-signing.crt $destPath/SECRETS/idp-signing.crt > /dev/null + mv -f $destPath/credentials/shib-idp/idp-encryption.key $destPath/SECRETS/idp-encryption.key > /dev/null + mv -f $destPath/credentials/shib-idp/idp-encryption.crt $destPath/SECRETS/idp-encryption.crt > /dev/null + mv -f $destPath/credentials/tomcat/keystore.jks $destPath/SECRETS/keystore.jks > /dev/null + mv -f $destPath/config/shib-idp/conf/relying-party.xml $destPath/SECRETS/relying-party.xml > /dev/null + mv -f $destPath/config/shib-idp/conf/attribute-filter.xml $destPath/SECRETS/attribute-filter.xml > /dev/null + mv -f $destPath/config/shib-idp/conf/attribute-resolver.xml $destPath/SECRETS/attribute-resolver.xml > /dev/null + mv -f $destPath/config/shib-idp/conf/metadata-providers.xml $destPath/SECRETS/metadata-providers.xml > /dev/null + echo "" + echo "Your 'secrets' were removed from the main config and stored in the 'SECRETS' directory" + echo "" fi #copy files directly instead of zipping @@ -625,13 +631,13 @@ echo "Your initial configuration has been successfully setup." echo "" echo "" if [ ${BURNMOUNT} == "burn" ]; then - echo "Since you have elected to use a burned-in config, the steps for " + echo "Since you have elected to use a completely burned-in config, the steps for " echo " you to build and run a TIER Shibboleth-IdP container are below." - echo "BUILD" + echo "1. BUILD" echo " It will be necessary to specify where to find your config at build-time, " echo " so that it can be copied into the container." echo "" - echo " If you are using the default config locations (used/created by the configBuilder.sh script), then the following command would be correct:" + echo " If you are using the default config locations (used/created by the ConfigBuilder service), then the following command would be correct:" echo " docker build --rm -t my/shibb-idp-tier ." echo "" echo " If you have an existing config or otherwise need to supply non-default paths for your config bits, " @@ -651,15 +657,15 @@ if [ ${BURNMOUNT} == "burn" ]; then --build-arg SHBLOG=logs/shib-idp ." echo "" echo "" - echo "RUN" + echo "2. RUN" echo "" - echo " docker run -d --name shib-idp -p 8443:8443 my/shibb-idp-tier" + echo " docker run -d --name shib-idp -p 443:443 my/shibb-idp-tier" elif [ ${BURNMOUNT} == "hybrid" ]; then - echo "Since you have elected to use a hybrid config, the steps for " + echo "Since you have elected to use a hybrid config (with secrets), the steps for " echo " you to build and run a TIER Shibboleth-IdP container are below." - echo "BUILD" + echo "1. BUILD" echo " It will be necessary to specify where to find your config at build-time, but with a hybrid config, " - echo " you'll want to point it to a config that has no \"secrets\"" + echo " you'll want to point it to a set of config files that have no \"secrets\"" echo "" echo "To do this, point an environment variable at the alternate location (created by this script):" echo " export ALTCFG=ConfigNoSecrets" @@ -676,7 +682,7 @@ elif [ ${BURNMOUNT} == "hybrid" ]; then --build-arg SHBMD=${ALTCFG}/config/shib-idp/metadata \\ --build-arg SHBLOG=${ALTCFG}/logs/shib-idp ." echo "" - echo "Next, you would create the appropriate docker secrets and run as a swarm service. See documentation wiki for more info." + echo "Next, you would create the appropriate secrets/overlays in your container orchestration system and run the container. See documentation wiki for more info." echo "" else echo "Since you have elected to use a mounted config, the steps for " @@ -691,7 +697,7 @@ else echo "RUN" echo " For a mounted config, you will need to supply your config locations at run-time, like this (assuming the default locations for the local config)." echo "" - echo " docker run -d --name shib-test1 -p 8443:8443 -v ${PWD}/${TOMCFG}:/usr/local/tomcat/conf \\ + echo " docker run -d --name shib-test1 -p 443:443 -v ${PWD}/${TOMCFG}:/usr/local/tomcat/conf \\ -v ${PWD}/${TOMWWWROOT}:/usr/local/tomcat/webapps/ROOT \\ -v ${PWD}/${TOMLOG}:/usr/local/tomcat/logs \\ -v ${PWD}/${TOMCERT}:/opt/certs \\