add sealer key rotation

Dockerfile

@@ -20,6 +20,7 @@ ENV JAVA_INSTALL_FILENAME='zulu8.38.0.13-ca-jdk8.0.212-win_x64.msi'
 #ENV JAVA_HOME=c:\\Java\\$JAVA_INSTALL_FOLDER
 RUN powershell [Environment]::SetEnvironmentVariable('JAVA_HOME', '%JAVA_HOME%', [System.EnvironmentVariableTarget]::Machine )
 ENV SHIB_INSTALL_FILE=C:\\shibboleth-identity-provider-$IDP_VERSION-x64.msi
+ENV ENABLE_SEALER_KEY_ROTATION=True
 
 ###install Zulu Java
 RUN powershell (new-object System.Net.WebClient).Downloadfile('https://cdn.azul.com/zulu/bin/%JAVA_INSTALL_FILENAME%', 'C:\%JAVA_INSTALL_FILENAME%')
@@ -83,6 +84,9 @@ RUN C:/opt/shibboleth-idp/bin/build.bat -noinput -S -q -Didp.target.dir=c:/opt/s
 #link IdP's war file to Tomcat
 RUN mklink c:\Tomcat\webapps\idp.war c:\opt\shibboleth-idp\war\idp.war
 
+#copy sealer key rotation script
+COPY container_files/rotateSealerKey.ps1 c:\\opt\\shibboleth-idp\\bin\\rotateSealerKey.ps1
+
 #copy TIER beacon script
 RUN mkdir c:\util
 RUN mkdir c:\opt\certs
@@ -91,9 +95,11 @@ COPY container_files/sendtierbeacon.ps1 c:\\util
 #RUN powershell ($tm=((Get-Random -Minimum 0 -Maximum 4) -as [string]) + ":" + ((Get-Random -Minimum 0 -Maximum 60) -as [string]) ; start-process -filepath schtasks -passthru -wait -argumentlist '/create','/tn','\"Send TIER Beacon\"','/tr','c:\util\sendtierbeacon.ps1','/sc','DAILY','/st',"$tm"
 #The line above is triggering an apprent bug in docker or windows core (essentially invalid XML), the 2 lines below are the workaround
 COPY container_files/TIER_Beacon_Task.xml c:\\TIER_Beacon_Task.xml
+COPY container_files/Sealer_Key_Rotation_Task.xml c:\\Sealer_Key_Rotation_Task.xml
 RUN powershell schtasks /Create /XML c:\TIER_Beacon_Task.xml /TN 'TIER Beacon' ; $tm=((Get-Random -Minimum 0 -Maximum 4) -as [string]).padleft(2,'0') + ':' + ((Get-Random -Minimum 0 -Maximum 60) -as [string]).padleft(2,'0') ; schtasks /Change /TN 'TIER Beacon' /ST $tm
+RUN powershell schtasks /Create /XML c:\Sealer_Key_Rotation_Task.xml /TN 'Rotate IdP Sealer Key' ; $tm=(1 -as [string]).padleft(2,'0') + ':' + (0 -as [string]).padleft(2,'0') ; schtasks /Change /TN 'Rotate IdP Sealer Key' /ST $tm
 RUN del c:\TIER_Beacon_Task.xml
-
+RUN del c:\Sealer_Key_Rotation_Task.xml
 
 #################################################
 ### Settings for a burned-in config (default) ###

container_files/rotateSealerKey.ps1

@@ -0,0 +1,59 @@
+#this script reads the sealer key configuration from the IdP's idp.properties file and rotates the sealer key
+Try {
+  $runthis = $env:ENABLE_SEALER_KEY_ROTATION
+    }
+Catch {
+  $runthis = 'True'
+      }
+
+If ($runthis -eq 'True')  {
+ #settings
+ $IDP_HOME="c:\opt\shibboleth-idp"
+ $IDPPROP=$IDP_HOME + "\conf\idp.properties"
+ $JAVA_HOME="c:\zulujava\zulu-8"
+ #item below is only used if you have configured additional hosts to sync your sealer to
+ $SYNC_CRED="domain\user"
+
+ #get config from properties file
+ $storefile = (cat $IDPPROP | where { $_ -match "idp.sealer.storeResource"}).Split("=")[1].Trim().Replace("%{idp.home}", $IDP_HOME).Replace("/","\")
+ $versionfile = (cat $IDPPROP | where { $_ -match "idp.sealer.versionResource"}).Split("=")[1].Trim().Replace("%{idp.home}", $IDP_HOME).Replace("/","\")
+ $storepass = (cat $IDPPROP | where { $_ -match "idp.sealer.storePassword"}).Split("=")[1].Trim().Replace("{","`{").Replace("}","`}")
+ $alias = (cat $IDPPROP | where { $_ -match "idp.sealer.aliasBase"}).Split("=")[1].Trim()
+ try {
+   $count = (cat $IDPPROP | where { $_ -match "idp.sealer._count"}).Split("=")[1].Trim()
+    }
+ catch {
+   $count = 30
+      }
+ try {
+   $sync_hosts = (cat $IDPPROP | where { $_ -match "idp.sealer._sync_hosts"}).Split("=")[1].Trim()
+    }
+ catch {
+   $sync_hosts = $env:COMPUTERNAME
+      }
+
+
+ #Write-Host "Keystore:" $storefile
+ #Write-Host "Version File:" $versionfile
+ #Write-Host "Store Pass:" $storepass
+ #Write-Host "Alias:" $alias
+ #Write-Host "Count:" $count
+ #Write-Host "Sync Hosts:" $sync_hosts
+
+ #rotate key
+ $cmd = "${IDP_HOME}\bin\runclass.bat net.shibboleth.utilities.java.support.security.BasicKeystoreKeyStrategyTool --storefile $storefile --storepass `$storepass --versionfile $versionfile --alias $alias --count $count"
+ Invoke-Expression $cmd
+
+ #display current/new version
+ Write-Host "Current Key Version:" (cat $versionfile).split("=")[2].Trim()
+
+ #sync to other hosts
+ $sync_hosts.split(" ") | ForEach {
+  If ($_.Trim() = $env:COMPUTERNAME) {Write-Host "***skipping sync to local host"} Else { 
+	Write-Host "Syncing to: $_"
+        $Session = New-PSSession -ComputerName "$_" -Credential $SYNC_CRED
+	Copy-Item $versionfile -Destination $IDP_HOME\credentials -ToSession $Session
+	}
+ }
+
+}