From f714b2014c11765eda7709d1cb29fc42de602524 Mon Sep 17 00:00:00 2001
From: Paul Caskey <pcaskey@internet2.edu>
Date: Sat, 27 Apr 2019 00:40:34 +0000
Subject: [PATCH] add sealer key rotation

---
 Dockerfile                                   |   8 ++-
 container_files/Sealer_Key_Rotation_Task.xml | Bin 0 -> 3350 bytes
 container_files/rotateSealerKey.ps1          |  59 +++++++++++++++++++
 3 files changed, 66 insertions(+), 1 deletion(-)
 create mode 100644 container_files/Sealer_Key_Rotation_Task.xml
 create mode 100644 container_files/rotateSealerKey.ps1

diff --git a/Dockerfile b/Dockerfile
index 0d34715..75f8632 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -20,6 +20,7 @@ ENV JAVA_INSTALL_FILENAME='zulu8.38.0.13-ca-jdk8.0.212-win_x64.msi'
 #ENV JAVA_HOME=c:\\Java\\$JAVA_INSTALL_FOLDER
 RUN powershell [Environment]::SetEnvironmentVariable('JAVA_HOME', '%JAVA_HOME%', [System.EnvironmentVariableTarget]::Machine )
 ENV SHIB_INSTALL_FILE=C:\\shibboleth-identity-provider-$IDP_VERSION-x64.msi
+ENV ENABLE_SEALER_KEY_ROTATION=True
 
 ###install Zulu Java
 RUN powershell (new-object System.Net.WebClient).Downloadfile('https://cdn.azul.com/zulu/bin/%JAVA_INSTALL_FILENAME%', 'C:\%JAVA_INSTALL_FILENAME%')
@@ -83,6 +84,9 @@ RUN C:/opt/shibboleth-idp/bin/build.bat -noinput -S -q -Didp.target.dir=c:/opt/s
 #link IdP's war file to Tomcat
 RUN mklink c:\Tomcat\webapps\idp.war c:\opt\shibboleth-idp\war\idp.war
 
+#copy sealer key rotation script
+COPY container_files/rotateSealerKey.ps1 c:\\opt\\shibboleth-idp\\bin\\rotateSealerKey.ps1
+
 #copy TIER beacon script
 RUN mkdir c:\util
 RUN mkdir c:\opt\certs
@@ -91,9 +95,11 @@ COPY container_files/sendtierbeacon.ps1 c:\\util
 #RUN powershell ($tm=((Get-Random -Minimum 0 -Maximum 4) -as [string]) + ":" + ((Get-Random -Minimum 0 -Maximum 60) -as [string]) ; start-process -filepath schtasks -passthru -wait -argumentlist '/create','/tn','\"Send TIER Beacon\"','/tr','c:\util\sendtierbeacon.ps1','/sc','DAILY','/st',"$tm"
 #The line above is triggering an apprent bug in docker or windows core (essentially invalid XML), the 2 lines below are the workaround
 COPY container_files/TIER_Beacon_Task.xml c:\\TIER_Beacon_Task.xml
+COPY container_files/Sealer_Key_Rotation_Task.xml c:\\Sealer_Key_Rotation_Task.xml
 RUN powershell schtasks /Create /XML c:\TIER_Beacon_Task.xml /TN 'TIER Beacon' ; $tm=((Get-Random -Minimum 0 -Maximum 4) -as [string]).padleft(2,'0') + ':' + ((Get-Random -Minimum 0 -Maximum 60) -as [string]).padleft(2,'0') ; schtasks /Change /TN 'TIER Beacon' /ST $tm
+RUN powershell schtasks /Create /XML c:\Sealer_Key_Rotation_Task.xml /TN 'Rotate IdP Sealer Key' ; $tm=(1 -as [string]).padleft(2,'0') + ':' + (0 -as [string]).padleft(2,'0') ; schtasks /Change /TN 'Rotate IdP Sealer Key' /ST $tm
 RUN del c:\TIER_Beacon_Task.xml
-
+RUN del c:\Sealer_Key_Rotation_Task.xml
 
 #################################################
 ### Settings for a burned-in config (default) ###
diff --git a/container_files/Sealer_Key_Rotation_Task.xml b/container_files/Sealer_Key_Rotation_Task.xml
new file mode 100644
index 0000000000000000000000000000000000000000..3c3f1013db7e3c1bbc9c781ed7cedb044c535ad0
GIT binary patch
literal 3350
zcmbW4Z%-OQ5XR?qlYR%{dl9s)#!w9YX(iRxD8@A54GJO=kZ>sa<=g(AUCz6`1B!;g
zojWtn%sewYyZ-%Cu|0dXf%UCmPu8)qMb@(i8`@V}v$7Sf#It~8Xg934kq)ivq?gvP
zZ?=xs7j*WlY9H-`Rak9-a=#F9(;<4VLp0^-&L(_Dwrd-FB7EK9bKsDQJbSE+@gMQM
zMYHIl8K66L5w%&LBHge}A}-k{-b%c0INJ%&$t<e1S)2vptJpbSx*$Zz$7oD=SN3(j
zx4ikBr0ew$olb{!`6=5r`Il_Ru}~&+t?t@q_gl6t$KN)3TYPtrR){3Q5MK#)%^vZ8
zhu1OqMQd6OzLonhh){Cjg!&=YC7IPhY4Y2)GrU}oX^T3m#s&Mq^M&U*-o#9tw{T<I
z7*T7h^Q8KZiMPwg_fwX`gIOFyB5R==>WA8%^$Qo{nBRTkeS{Bh`LeJMs?9D{P&M?c
z9G0QPxhB;(!b{7p9b;|$s6QUbNJv>(-uhzJ!EJ2B`95r`?ut08opja<eW=cxIOd)l
zPgOFJPj5X>p2hRI`W^H?|I%Hx9?}hK6{WJN&}FK-=0uO3tX@mYeU^Eh0@`gi1JeDR
z-la)RE<sdJsi&*d^EclH)i`wwh0;7L=dN>3K+vS?gK+HnRFg*gzs7otl|H||?#eiC
zl}46EKBuI{^W|w?DsE?L`iZ;l9L`Q%4@o|9y`&CNye-GIVn1V7^pW4V{;GpAbW@~b
zKgn(C*m)~TnB^hpk*jGR<Y{Uz)tQsO@VAdtS*Sie$7r}`-iHuIp&k4H3-bA$H_zBA
z-rr^!dac2&&-$1g$MjyqW$7ogvetQ!o)4>8gkBV(&?k1~&c5NCeyozW-&cMPt!5MY
z@%=2$`gDt!RF6!ksm_)A6}-L&A&f!$S5r}E(&End6C<viB984ef3q`rnO@qvN7Z>2
zy)vH0&T_m=GmWdA9>=#luL>N;9hFp2F&q+=?mYSIR<j7>$(~Z_4$aC!OU=bLpAL~^
z`3Pm9UA{A7MzSc&G(*fQ__!yM2L0)+vRLypLX0EsxE-dW?pOYP*Wfu|?ZiEMtXG+$
z4bIxq>@-=;CiLS^0_`Iq>a5>(vp2sU+o@|7cZ)jZ<~8Ps``Q64`1`>#>$*8FJ2fku
zjXv|_L`qImVGUCKHsbFooalc5or&sE#h2BKV^5H3*mPl6j4C>vZwK7Gnjnt&yXg>n
zoT}HXXy@ymyADfj<V{vJ$(x|Ww^2VEH0u<PzpWP0jb^u@c^=boDeipkS`8WXylA~a
KpXtArs{I3QvlUwa

literal 0
HcmV?d00001

diff --git a/container_files/rotateSealerKey.ps1 b/container_files/rotateSealerKey.ps1
new file mode 100644
index 0000000..29385da
--- /dev/null
+++ b/container_files/rotateSealerKey.ps1
@@ -0,0 +1,59 @@
+#this script reads the sealer key configuration from the IdP's idp.properties file and rotates the sealer key
+Try {
+  $runthis = $env:ENABLE_SEALER_KEY_ROTATION
+    }
+Catch {
+  $runthis = 'True'
+      }
+
+If ($runthis -eq 'True')  {
+ #settings
+ $IDP_HOME="c:\opt\shibboleth-idp"
+ $IDPPROP=$IDP_HOME + "\conf\idp.properties"
+ $JAVA_HOME="c:\zulujava\zulu-8"
+ #item below is only used if you have configured additional hosts to sync your sealer to
+ $SYNC_CRED="domain\user"
+
+ #get config from properties file
+ $storefile = (cat $IDPPROP | where { $_ -match "idp.sealer.storeResource"}).Split("=")[1].Trim().Replace("%{idp.home}", $IDP_HOME).Replace("/","\")
+ $versionfile = (cat $IDPPROP | where { $_ -match "idp.sealer.versionResource"}).Split("=")[1].Trim().Replace("%{idp.home}", $IDP_HOME).Replace("/","\")
+ $storepass = (cat $IDPPROP | where { $_ -match "idp.sealer.storePassword"}).Split("=")[1].Trim().Replace("{","`{").Replace("}","`}")
+ $alias = (cat $IDPPROP | where { $_ -match "idp.sealer.aliasBase"}).Split("=")[1].Trim()
+ try {
+   $count = (cat $IDPPROP | where { $_ -match "idp.sealer._count"}).Split("=")[1].Trim()
+    }
+ catch {
+   $count = 30
+      }
+ try {
+   $sync_hosts = (cat $IDPPROP | where { $_ -match "idp.sealer._sync_hosts"}).Split("=")[1].Trim()
+    }
+ catch {
+   $sync_hosts = $env:COMPUTERNAME
+      }
+
+
+ #Write-Host "Keystore:" $storefile
+ #Write-Host "Version File:" $versionfile
+ #Write-Host "Store Pass:" $storepass
+ #Write-Host "Alias:" $alias
+ #Write-Host "Count:" $count
+ #Write-Host "Sync Hosts:" $sync_hosts
+
+ #rotate key
+ $cmd = "${IDP_HOME}\bin\runclass.bat net.shibboleth.utilities.java.support.security.BasicKeystoreKeyStrategyTool --storefile $storefile --storepass `$storepass --versionfile $versionfile --alias $alias --count $count"
+ Invoke-Expression $cmd
+
+ #display current/new version
+ Write-Host "Current Key Version:" (cat $versionfile).split("=")[2].Trim()
+
+ #sync to other hosts
+ $sync_hosts.split(" ") | ForEach {
+  If ($_.Trim() = $env:COMPUTERNAME) {Write-Host "***skipping sync to local host"} Else { 
+	Write-Host "Syncing to: $_"
+        $Session = New-PSSession -ComputerName "$_" -Credential $SYNC_CRED
+	Copy-Item $versionfile -Destination $IDP_HOME\credentials -ToSession $Session
+	}
+ }
+
+}
\ No newline at end of file