new files

Jenkinsfile

@@ -22,7 +22,6 @@ node('windows') {
   stage 'Acquire util files'
 
 	powershell(returnStatus: true, script: 'New-Item -ItemType directory -Path ./tmp')
-	//powershell(returnStatus: true, script: 'New-Item -ItemType directory -Path ./bin')
 	powershell(returnStatus: true, script: 'Remove-Item ./bin -Force -Recurse')
     dir('tmp'){
       git([ url: "https://github.internet2.edu/docker/util.git",
@@ -74,7 +73,17 @@ node('windows') {
         powershell(returnStatus: true, script: 'Remove-Item -Force ./debug')
 	  }*/
 
-//  stage 'Test'
+  stage 'Test'
+
+      try{
+	    powershell(returnStatus: true, script: '& ./tests/runtests.ps1 > ./debug')
+	  } catch(error) {
+	    def error_details = readFile('./debug');
+        def message = "BUILD ERROR: There was a problem testing ${imagename}:${tag}. \n\n ${error_details}"
+		powershell(returnStatus: true, script: 'Remove-Item -Force ./debug')
+		currentBuild.result = 'FAILURE'
+		handleError(message)
+	  }
 
 
   stage 'Push'

test-compose/docker-compose.yml

@@ -0,0 +1,42 @@
+
+version: "3.3"
+
+services:
+  idp:
+    build: 
+      context: ./idp/
+      args:
+        TOMCFG: ./container_files/config/tomcat
+        TOMCERT: ./container_files/credentials/tomcat
+        TOMWWWROOT: ./container_files/wwwroot
+        SHBCFG: ./container_files/config/shib-idp/conf
+        SHBCREDS: ./container_files/credentials/shib-idp
+        SHBVIEWS: ./container_files/config/shib-idp/views
+        SHBEDWAPP: ./container_files/config/shib-idp/edit-webapp
+        SHBMSGS: ./container_files/config/shib-idp/messages
+        SHBMD: ./container_files/config/shib-idp/metadata
+    expose:
+     - "443"
+    ports:
+     - "443:443"
+    dns:
+     - 8.8.8.8
+     - 4.4.4.4
+
+  sp:
+    build: ./sp/
+    expose:
+     - "8443"
+    ports:
+     - "8443:8443"
+    dns:
+     - 8.8.8.8
+     - 4.4.4.4
+
+networks:
+  default:
+    external:
+      name: nat
+
+
+

test-compose/getIPs.ps1

@@ -0,0 +1,15 @@
+
+$idpcid = docker ps | Select-String 'idp' | ForEach-Object { $_.Line.split(' ')[0] }
+$spcid = docker ps | Select-String 'sp' | ForEach-Object { $_.Line.split(' ')[0] }
+
+$idpip = (docker inspect -f "{{ .NetworkSettings.Networks.nat.IPAddress }}" $idpcid)
+$spip = (docker inspect -f "{{ .NetworkSettings.Networks.nat.IPAddress }}" $spcid)
+
+$msg = $($idpip.Trim()) + ' idp.example.edu' + "`r`n" + $($spip.Trim()) + ' sptest.example.edu'
+
+Set-Clipboard -Value $msg
+
+Write-Host ''
+Write-Host $($msg)
+Write-Host '  **above entries copied to clipboard'
+Write-Host ''

test-compose/idp/Dockerfile

@@ -0,0 +1,39 @@
+FROM tier/shibbidp_novm_windows:latest
+
+#params for supplying your IdP config to your container (can be overridden at build-time using build-args)
+ARG TOMCFG=config\\tomcat
+ARG TOMLOG=logs\\tomcat
+ARG TOMCERT=credentials\\tomcat
+ARG TOMWWWROOT=wwwroot
+ARG SHBCFG=config\\shib-idp\\conf
+ARG SHBCREDS=credentials\\shib-idp
+ARG SHBVIEWS=config\\shib-idp\\views
+ARG SHBEDWAPP=config\\shib-idp\\edit-webapp
+ARG SHBMSGS=config\\shib-idp\\messages
+ARG SHBMD=config\\shib-idp\\metadata
+ARG SHBLOG=logs\\shib-idp
+
+ADD $TOMCFG c:\\Tomcat\\conf
+ADD $TOMCERT c:\\opt\\certs
+ADD $TOMWWWROOT c:\\Tomcat\\webapps\\ROOT
+ADD $SHBCFG c:\\opt\\shibboleth-idp\\conf
+ADD $SHBCREDS c:\\opt\\shibboleth-idp\\credentials
+ADD $SHBVIEWS c:\\opt\\shibboleth-idp\\views
+ADD $SHBEDWAPP c:\\opt\\shibboleth-idp\\edit-webapp
+ADD $SHBMSGS c:\\opt\\shibboleth-idp\\messages
+ADD $SHBMD c:\\opt\\shibboleth-idp\\metadata
+
+# Uncomment if using secrets; removes existing files from the container so that secrets can propagate (issue with Windows containers)
+# RUN del c:\opt\shibboleth-idp\conf\idp.properties
+# RUN del c:\opt\shibboleth-idp\conf\ldap.properties
+# RUN del c:\opt\shibboleth-idp\conf\relying-party.xml
+# RUN del c:\opt\shibboleth-idp\conf\attribute-filter.xml
+# RUN del c:\opt\shibboleth-idp\conf\attribute-resolver.xml
+# RUN del c:\opt\shibboleth-idp\conf\metadata-providers.xml
+# RUN del c:\opt\shibboleth-idp\credentials\idp-signing.key
+# RUN del c:\opt\shibboleth-idp\credentials\idp-signing.crt
+# RUN del c:\opt\shibboleth-idp\credentials\idp-encryption.key
+# RUN del c:\opt\shibboleth-idp\credentials\idp-encryption.crt
+# RUN del c:\opt\shibboleth-idp\credentials\sealer.jks
+# RUN del c:\opt\shibboleth-idp\credentials\sealer.kver
+

test-compose/idp/container_files/config/shib-idp/conf/access-control.xml

@@ -0,0 +1,68 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:context="http://www.springframework.org/schema/context"
+       xmlns:util="http://www.springframework.org/schema/util"
+       xmlns:p="http://www.springframework.org/schema/p"
+       xmlns:c="http://www.springframework.org/schema/c"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+
+       default-init-method="initialize"
+       default-destroy-method="destroy">
+
+    <!--
+    Map of access control policies used to limit access to administrative functions.
+    The purpose of the map is to label policies with a key/name so they can be reused.
+    -->
+
+    <!--
+    Use the "shibboleth.IPRangeAccessControl" parent bean for IP-based access control.
+    The ranges provided MUST be CIDR network expressions. To specify a single address,
+    add "/32" or "/128" for IPv4 or IPv6 respectively.
+
+    The additional examples below demonstrate how to control access by username
+    and by attribute(s), in the case of authenticated access to admin functions.
+    -->
+
+    <util:map id="shibboleth.AccessControlPolicies">
+
+        <entry key="AccessByIPAddress">
+            <bean id="AccessByIPAddress" parent="shibboleth.IPRangeAccessControl"
+                p:allowedRanges="#{ {'127.0.0.1/32', '::1/128', '172.17.0.0/24', '172.18.0.0/24', '10.255.0.0/16'} }" />
+        </entry>
+
+        <!--
+        <entry key="AccessByUser">
+            <bean parent="shibboleth.PredicateAccessControl">
+                <constructor-arg>
+                    <bean parent="shibboleth.Conditions.SubjectName" c:collection="#{'jdoe'}" />
+                </constructor-arg>
+            </bean>
+        </entry>
+        -->
+
+        <!--
+        <entry key="AccessByAttribute">
+            <bean parent="shibboleth.PredicateAccessControl">
+                <constructor-arg>
+                    <bean class="net.shibboleth.idp.profile.logic.SimpleAttributePredicate">
+                        <property name="attributeValueMap">
+                            <map>
+                                <entry key="eduPersonEntitlement">
+                                    <list>
+                                        <value>https://example.org/entitlement/idpadmin</value>
+                                    </list>
+                                </entry>
+                            </map>
+                        </property>
+                    </bean>
+                </constructor-arg>
+            </bean>
+        </entry>
+        -->
+
+    </util:map>
+
+</beans>

test-compose/idp/container_files/config/shib-idp/conf/admin/general-admin.xml

@@ -0,0 +1,53 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+    xmlns:context="http://www.springframework.org/schema/context"
+    xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p"
+    xmlns:c="http://www.springframework.org/schema/c" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+                        http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+                        http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+
+    default-init-method="initialize"
+    default-destroy-method="destroy">
+
+    <util:list id="shibboleth.AvailableAdminFlows">
+
+        <!-- Status Page -->
+        <bean parent="shibboleth.AdminFlow"
+            c:id="http://shibboleth.net/ns/profiles/status"
+            p:loggingId="%{idp.service.logging.status:Status}"
+            p:policyName="%{idp.status.accessPolicy:AccessByIPAddress}" />
+
+        <!-- Service Reload -->
+        <bean parent="shibboleth.AdminFlow"
+            c:id="http://shibboleth.net/ns/profiles/reload-service-configuration"
+            p:loggingId="%{idp.service.logging.serviceReload:Reload}"
+            p:policyName="%{idp.reload.accessPolicy:AccessByIPAddress}" />
+
+        <!-- MetadataResolver Reload -->
+        <bean parent="shibboleth.AdminFlow"
+            c:id="http://shibboleth.net/ns/profiles/reload-metadata"
+            p:loggingId="%{idp.service.logging.serviceReload:Reload}"
+            p:policyName="%{idp.reload.accessPolicy:AccessByIPAddress}" />
+
+        <!-- AttributeResolver Debugging -->
+        <bean parent="shibboleth.AdminFlow"
+            c:id="http://shibboleth.net/ns/profiles/resolvertest"
+            p:loggingId="%{idp.service.logging.resolvertest:ResolverTest}"
+            p:policyName="%{idp.resolvertest.accessPolicy:AccessByIPAddress}" />
+
+        <!-- REST StorageService Access -->
+        <bean parent="shibboleth.AdminFlow"
+            c:id="http://shibboleth.net/ns/profiles/storage"
+            p:loggingId="Storage"
+            p:policyName="AccessByIPAddress" />
+
+        <!-- REST Interface to Metrics -->
+        <bean parent="shibboleth.AdminFlow"
+            c:id="http://shibboleth.net/ns/profiles/metrics"
+            p:loggingId="Metrics"
+            p:policyNameLookupStrategy-ref="shibboleth.metrics.AccessPolicyStrategy" />
+
+    </util:list>
+
+</beans>

test-compose/idp/container_files/config/shib-idp/conf/admin/metrics.xml

@@ -0,0 +1,129 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+    xmlns:context="http://www.springframework.org/schema/context"
+    xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p"
+    xmlns:c="http://www.springframework.org/schema/c" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+                        http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+                        http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+
+    default-init-method="initialize"
+    default-destroy-method="destroy">
+
+    <!-- Metrics enablement / activation. -->
+
+    <!--
+    Register one or more of the built-in system metric sets available.
+    -->
+
+    <bean parent="shibboleth.metrics.RegisterMetricSets">
+        <property name="arguments">
+            <list>
+                <ref bean="shibboleth.metrics.CoreGaugeSet" />
+                <ref bean="shibboleth.metrics.IdPGaugeSet" />
+                <ref bean="shibboleth.metrics.LoggingGaugeSet" />
+                <ref bean="shibboleth.metrics.AccessControlGaugeSet" />
+                <ref bean="shibboleth.metrics.MetadataGaugeSet" />
+                <ref bean="shibboleth.metrics.NameIdentifierGaugeSet" />
+                <ref bean="shibboleth.metrics.RelyingPartyGaugeSet" />
+                <ref bean="shibboleth.metrics.AttributeResolverGaugeSet" />
+                <ref bean="shibboleth.metrics.AttributeFilterGaugeSet" />
+
+                <!--
+                <bean class="com.codahale.metrics.jvm.CachedThreadStatesGaugeSet"
+                    c:_0="1" c:_1="#{T(java.util.concurrent.TimeUnit).MINUTES}" />
+                <bean class="com.codahale.metrics.jvm.ClassLoadingGaugeSet" />
+                <bean class="com.codahale.metrics.jvm.GarbageCollectorMetricSet" />
+                <bean class="com.codahale.metrics.jvm.MemoryUsageGaugeSet" />
+                -->
+            </list>
+        </property>
+    </bean>
+
+    <!-- Metrics REST API Configuration -->
+
+    <!--
+    The global metric set is available by default at /idp/profile/admin/metrics
+    
+    Any pathinfo after that is assumed to identify specific named metrics. You can
+    create mappings here between a logical "group" name and an implementation of the
+    com.codahale.metrics.MetricFilter interface to specify which metrics to include.
+    -->
+    <util:map id="shibboleth.metrics.MetricGroups">
+        <entry key="core" value-ref="shibboleth.metrics.CoreGaugeSet" />
+        <entry key="idp" value-ref="shibboleth.metrics.IdPGaugeSet" />
+        <entry key="logging" value-ref="shibboleth.metrics.LoggingGaugeSet" />
+        <entry key="access" value-ref="shibboleth.metrics.AccessControlGaugeSet" />
+        <entry key="metadata" value-ref="shibboleth.metrics.MetadataGaugeSet" />
+        <entry key="nameid" value-ref="shibboleth.metrics.NameIdentifierGaugeSet" />
+        <entry key="relyingparty" value-ref="shibboleth.metrics.RelyingPartyGaugeSet" />
+        <entry key="resolver" value-ref="shibboleth.metrics.AttributeResolverGaugeSet" />
+        <entry key="filter" value-ref="shibboleth.metrics.AttributeFilterGaugeSet" />
+    </util:map>
+
+    <!-- If you don't specify an alternate access policy, this named policy will be enforced. -->
+    <bean id="shibboleth.metrics.DefaultAccessPolicy" class="java.lang.String" c:_0="AccessByIPAddress" />
+
+    <!--
+    To override the default access policy, map a metric name or
+    mapped group above to an alternative policy name.
+    -->
+    <util:map id="shibboleth.metrics.AccessPolicyMap">
+
+    </util:map>
+
+    <!--
+    In addition to the "pull" REST API for accessing metrics, a "push" reporter is also
+    available to upload a JSON feed to a URL. The example shown relies on standard JVM
+    trust configuration for TLS server verification.
+    
+    The "start" method triggers the timer thread; the example pushes every 30 minutes.
+    -->
+    <!--
+    <bean id="PushReporter" parent="shibboleth.metrics.HTTPReporter" c:name="MyCollector"
+        p:collectorURL="https://log.example.org/cgi-bin/collector.cgi" />
+                
+    <bean class="org.springframework.beans.factory.config.MethodInvokingBean"
+            p:targetObject-ref="PushReporter"
+            p:targetMethod="start">
+        <property name="arguments">
+            <list>
+                <value>30</value>
+                <util:constant static-field="java.util.concurrent.TimeUnit.MINUTES" />
+            </list>
+        </property>
+    </bean>
+    -->
+
+    <!-- IdP Metrics Configuration -->
+
+    <!--
+    A bean named shibboleth.metrics.MetricStrategy of type Function<ProfileRequestContext,Boolean>
+    can be defined to add timers and counters to a large range of objects in the system. Each timer is
+    defined by a triple (timer name, start object, stop object). Counters are just object/counter pairs.
+    
+    The most common example is to start a timer when a particular flow action bean starts and
+    stop it when the same or different action bean stops, to measure how long the execution takes.
+    
+    If you want to leave a timer in place but disabled to prevent overhead, you can turn off a
+    logging category named "metrics.<timername>" in your logging configuration.
+    -->
+    <!--
+    <bean id="shibboleth.metrics.MetricStrategy" parent="shibboleth.ContextFunctions.Scripted"
+            factory-method="inlineScript">
+        <constructor-arg>
+            <value>
+            <![CDATA[
+                metricCtx = input.getSubcontext("org.opensaml.profile.context.MetricContext");
+                metricCtx.addTimer("idp.attribute.resolution",
+                    "ResolveAttributes",
+                    "FilterAttributes"
+                    );                                
+                true; // Signals success.
+            ]]>
+            </value>
+        </constructor-arg>
+    </bean>
+    -->
+
+</beans>