181102 3.4.1

Dockerfile

@@ -51,7 +51,7 @@ RUN del C:\%JAVA_INSTALL_FILENAME%
 
 
 ##install Tomcat
-COPY config.ini c:\config.ini
+COPY container_files/config.ini c:\config.ini
 RUN powershell (new-object System.Net.WebClient).Downloadfile('http://www.apache.org/dist/tomcat/tomcat-%TOMCAT_MAJOR_VERSION%/v%TOMCAT_VERSION%/bin/apache-tomcat-%TOMCAT_VERSION%.exe', 'C:\apache-tomcat-%TOMCAT_VERSION%.exe')
 RUN powershell If ((Get-FileHash C:\apache-tomcat-%TOMCAT_VERSION%.exe -Algorithm SHA512).Hash.ToLower() -eq ` \
  'a03c507179cddb8ec6d35572fa81522c3472df689e34718daff8faa91bcb6af397a5f0d0d4c929add3e86d0957275c0d402ea96c491c50f639ec6371ba146d43') ` \
@@ -61,9 +61,9 @@ RUN powershell If ((Get-FileHash C:\apache-tomcat-%TOMCAT_VERSION%.exe -Algorith
 RUN del C:\apache-tomcat-%TOMCAT_VERSION%.exe
 
 #copy temp SSL cert for tomcat in c:\sslcert
-COPY keystore.jks c:\\sslcert\\keystore.jks
+COPY container_files/keystore.jks c:\\sslcert\\keystore.jks
 #copy temp tomcat config file (listening on 443, cert at c:\sslcert\keystore.jks
-COPY server.xml c:\\Tomcat\\conf\\server.xml
+COPY container_files/server.xml c:\\Tomcat\\conf\\server.xml
 #cleanup tomcat install
 RUN rmdir /S /Q c:\Tomcat\webapps\docs && rmdir /S /Q c:\Tomcat\webapps\manager && del /F /Q c:\tomcat\webapps\ROOT\*.* && del /F /Q c:\tomcat\webapps\ROOT\WEB-INF\*.* && rmdir c:\tomcat\webapps\ROOT\WEB-INF
 
@@ -80,11 +80,11 @@ RUN mklink c:\Tomcat\webapps\idp.war c:\opt\shibboleth-idp\war\idp.war
 #copy TIER beacon script
 RUN mkdir c:\util
 RUN mkdir c:\opt\certs
-COPY sendtierbeacon.ps1 c:\\util
+COPY container_files/sendtierbeacon.ps1 c:\\util
 #schedule script to run (at random time)
 #RUN powershell ($tm=((Get-Random -Minimum 0 -Maximum 4) -as [string]) + ":" + ((Get-Random -Minimum 0 -Maximum 60) -as [string]) ; start-process -filepath schtasks -passthru -wait -argumentlist '/create','/tn','\"Send TIER Beacon\"','/tr','c:\util\sendtierbeacon.ps1','/sc','DAILY','/st',"$tm"
 #The line above is triggering an apprent bug in docker or windows core (essentially invalid XML), the 2 lines below are the workaround
-COPY TIER_Beacon_Task.xml c:\TIER_Beacon_Task.xml
+COPY container_files/TIER_Beacon_Task.xml c:\TIER_Beacon_Task.xml
 RUN powershell schtasks /Create /XML c:\TIER_Beacon_Task.xml /TN 'TIER Beacon' ; $tm=((Get-Random -Minimum 0 -Maximum 4) -as [string]).padleft(2,'0') + ':' + ((Get-Random -Minimum 0 -Maximum 60) -as [string]).padleft(2,'0') ; schtasks /Change /TN 'TIER Beacon' /ST $tm
 RUN del c:\TIER_Beacon_Task.xml
 

Jenkinsfile

@@ -19,16 +19,17 @@ node('windows') {
 
     checkout scm
 
-/*  stage 'Acquire util files'
+  stage 'Acquire util files'
 
-    sh 'mkdir -p tmp && mkdir -p bin'
+	powershell(returnStatus: true, script: 'New-Item -ItemType directory -Path ./tmp')
+	powershell(returnStatus: true, script: 'Remove-Item ./bin -Force -Recurse')
     dir('tmp'){
       git([ url: "https://github.internet2.edu/docker/util.git",
           credentialsId: "jenkins-github-access-token" ])
-      sh 'mv ./bin/* ../bin/.'
+	  powershell(returnStatus: true, script: 'Move-Item -Path ./bin/ -Destination ../bin/')
     }
-    sh 'rm -rf tmp'
-*/
+    powershell(returnStatus: true, script: 'Remove-Item ./tmp -Force -Recurse')
+
 
   stage 'Setting build context'
 
@@ -53,16 +54,36 @@ node('windows') {
 
   stage 'Build'
 
-    try{
-      bat 'powershell ./rebuild.ps1 > ./debug'
-    } catch(error) {
-      def error_details = readFile('./debug');
-      def message = "BUILD ERROR: There was a problem building ${imagename}:${tag}. \n\n ${error_details}"
-      bat "powershell (Remove-Item -Force ./debug)"
-      handleError(message)
-    }
+      try{
+	    powershell(returnStatus: true, script: '& ./bin/windows/rebuild.ps1 > ./debug')
+	  } catch(error) {
+	    def error_details = readFile('./debug');
+        def message = "BUILD ERROR: There was a problem building ${imagename}:${tag}. \n\n ${error_details}"
+		powershell(returnStatus: true, script: 'Remove-Item -Force ./debug')
+		currentBuild.result = 'FAILURE'
+		handleError(message)
+	  }
+	  /*def status = powershell(returnStatus: true, script: '& ./bin/windows/rebuild.ps1 > ./debug')
+      if (status == 0) {
+	    echo "build success"
+	  } else {
+        def error_details = readFile('./debug');
+        def message = "BUILD ERROR: There was a problem building ${imagename}:${tag}. \n\n ${error_details}"
+        handleError(message)
+        powershell(returnStatus: true, script: 'Remove-Item -Force ./debug')
+	  }*/
 
-//  stage 'Test'
+  stage 'Test'
+
+      try{
+	    powershell(returnStatus: true, script: '& ./tests/runtests.ps1 > ./debug')
+	  } catch(error) {
+	    def error_details = readFile('./debug');
+        def message = "BUILD ERROR: There was a problem testing ${imagename}:${tag}. \n\n ${error_details}"
+		powershell(returnStatus: true, script: 'Remove-Item -Force ./debug')
+		currentBuild.result = 'FAILURE'
+		handleError(message)
+	  }
 
 
   stage 'Push'
@@ -92,5 +113,5 @@ def handleError(String message){
   echo "${message}"
   currentBuild.setResult("FAILED")
   //slackSend color: 'danger', message: "${message}"
-  bat 'exit 1'
+  bat exit 1
 }

test-compose/docker-compose.yml

@@ -0,0 +1,42 @@
+
+version: "3.3"
+
+services:
+  idp:
+    build: 
+      context: ./idp/
+      args:
+        TOMCFG: ./container_files/config/tomcat
+        TOMCERT: ./container_files/credentials/tomcat
+        TOMWWWROOT: ./container_files/wwwroot
+        SHBCFG: ./container_files/config/shib-idp/conf
+        SHBCREDS: ./container_files/credentials/shib-idp
+        SHBVIEWS: ./container_files/config/shib-idp/views
+        SHBEDWAPP: ./container_files/config/shib-idp/edit-webapp
+        SHBMSGS: ./container_files/config/shib-idp/messages
+        SHBMD: ./container_files/config/shib-idp/metadata
+    expose:
+     - "443"
+    ports:
+     - "443:443"
+    dns:
+     - 8.8.8.8
+     - 4.4.4.4
+
+  sp:
+    build: ./sp/
+    expose:
+     - "8443"
+    ports:
+     - "8443:8443"
+    dns:
+     - 8.8.8.8
+     - 4.4.4.4
+
+networks:
+  default:
+    external:
+      name: nat
+
+
+

test-compose/getIPs.ps1

@@ -0,0 +1,15 @@
+
+$idpcid = docker ps | Select-String 'idp' | ForEach-Object { $_.Line.split(' ')[0] }
+$spcid = docker ps | Select-String 'sp' | ForEach-Object { $_.Line.split(' ')[0] }
+
+$idpip = (docker inspect -f "{{ .NetworkSettings.Networks.nat.IPAddress }}" $idpcid)
+$spip = (docker inspect -f "{{ .NetworkSettings.Networks.nat.IPAddress }}" $spcid)
+
+$msg = $($idpip.Trim()) + ' idp.example.edu' + "`r`n" + $($spip.Trim()) + ' sptest.example.edu'
+
+Set-Clipboard -Value $msg
+
+Write-Host ''
+Write-Host $($msg)
+Write-Host '  **above entries copied to clipboard'
+Write-Host ''

test-compose/idp/Dockerfile

@@ -0,0 +1,39 @@
+FROM tier/shibbidp_novm_windows:latest
+
+#params for supplying your IdP config to your container (can be overridden at build-time using build-args)
+ARG TOMCFG=config\\tomcat
+ARG TOMLOG=logs\\tomcat
+ARG TOMCERT=credentials\\tomcat
+ARG TOMWWWROOT=wwwroot
+ARG SHBCFG=config\\shib-idp\\conf
+ARG SHBCREDS=credentials\\shib-idp
+ARG SHBVIEWS=config\\shib-idp\\views
+ARG SHBEDWAPP=config\\shib-idp\\edit-webapp
+ARG SHBMSGS=config\\shib-idp\\messages
+ARG SHBMD=config\\shib-idp\\metadata
+ARG SHBLOG=logs\\shib-idp
+
+ADD $TOMCFG c:\\Tomcat\\conf
+ADD $TOMCERT c:\\opt\\certs
+ADD $TOMWWWROOT c:\\Tomcat\\webapps\\ROOT
+ADD $SHBCFG c:\\opt\\shibboleth-idp\\conf
+ADD $SHBCREDS c:\\opt\\shibboleth-idp\\credentials
+ADD $SHBVIEWS c:\\opt\\shibboleth-idp\\views
+ADD $SHBEDWAPP c:\\opt\\shibboleth-idp\\edit-webapp
+ADD $SHBMSGS c:\\opt\\shibboleth-idp\\messages
+ADD $SHBMD c:\\opt\\shibboleth-idp\\metadata
+
+# Uncomment if using secrets; removes existing files from the container so that secrets can propagate (issue with Windows containers)
+# RUN del c:\opt\shibboleth-idp\conf\idp.properties
+# RUN del c:\opt\shibboleth-idp\conf\ldap.properties
+# RUN del c:\opt\shibboleth-idp\conf\relying-party.xml
+# RUN del c:\opt\shibboleth-idp\conf\attribute-filter.xml
+# RUN del c:\opt\shibboleth-idp\conf\attribute-resolver.xml
+# RUN del c:\opt\shibboleth-idp\conf\metadata-providers.xml
+# RUN del c:\opt\shibboleth-idp\credentials\idp-signing.key
+# RUN del c:\opt\shibboleth-idp\credentials\idp-signing.crt
+# RUN del c:\opt\shibboleth-idp\credentials\idp-encryption.key
+# RUN del c:\opt\shibboleth-idp\credentials\idp-encryption.crt
+# RUN del c:\opt\shibboleth-idp\credentials\sealer.jks
+# RUN del c:\opt\shibboleth-idp\credentials\sealer.kver
+

test-compose/idp/container_files/config/shib-idp/conf/access-control.xml

@@ -0,0 +1,68 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+       xmlns:context="http://www.springframework.org/schema/context"
+       xmlns:util="http://www.springframework.org/schema/util"
+       xmlns:p="http://www.springframework.org/schema/p"
+       xmlns:c="http://www.springframework.org/schema/c"
+       xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+       xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+                           http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+                           http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+
+       default-init-method="initialize"
+       default-destroy-method="destroy">
+
+    <!--
+    Map of access control policies used to limit access to administrative functions.
+    The purpose of the map is to label policies with a key/name so they can be reused.
+    -->
+
+    <!--
+    Use the "shibboleth.IPRangeAccessControl" parent bean for IP-based access control.
+    The ranges provided MUST be CIDR network expressions. To specify a single address,
+    add "/32" or "/128" for IPv4 or IPv6 respectively.
+
+    The additional examples below demonstrate how to control access by username
+    and by attribute(s), in the case of authenticated access to admin functions.
+    -->
+
+    <util:map id="shibboleth.AccessControlPolicies">
+
+        <entry key="AccessByIPAddress">
+            <bean id="AccessByIPAddress" parent="shibboleth.IPRangeAccessControl"
+                p:allowedRanges="#{ {'127.0.0.1/32', '::1/128', '172.17.0.0/24', '172.18.0.0/24', '10.255.0.0/16'} }" />
+        </entry>
+
+        <!--
+        <entry key="AccessByUser">
+            <bean parent="shibboleth.PredicateAccessControl">
+                <constructor-arg>
+                    <bean parent="shibboleth.Conditions.SubjectName" c:collection="#{'jdoe'}" />
+                </constructor-arg>
+            </bean>
+        </entry>
+        -->
+
+        <!--
+        <entry key="AccessByAttribute">
+            <bean parent="shibboleth.PredicateAccessControl">
+                <constructor-arg>
+                    <bean class="net.shibboleth.idp.profile.logic.SimpleAttributePredicate">
+                        <property name="attributeValueMap">
+                            <map>
+                                <entry key="eduPersonEntitlement">
+                                    <list>
+                                        <value>https://example.org/entitlement/idpadmin</value>
+                                    </list>
+                                </entry>
+                            </map>
+                        </property>
+                    </bean>
+                </constructor-arg>
+            </bean>
+        </entry>
+        -->
+
+    </util:map>
+
+</beans>

test-compose/idp/container_files/config/shib-idp/conf/admin/general-admin.xml

@@ -0,0 +1,53 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<beans xmlns="http://www.springframework.org/schema/beans"
+    xmlns:context="http://www.springframework.org/schema/context"
+    xmlns:util="http://www.springframework.org/schema/util" xmlns:p="http://www.springframework.org/schema/p"
+    xmlns:c="http://www.springframework.org/schema/c" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+    xsi:schemaLocation="http://www.springframework.org/schema/beans http://www.springframework.org/schema/beans/spring-beans.xsd
+                        http://www.springframework.org/schema/context http://www.springframework.org/schema/context/spring-context.xsd
+                        http://www.springframework.org/schema/util http://www.springframework.org/schema/util/spring-util.xsd"
+
+    default-init-method="initialize"
+    default-destroy-method="destroy">
+
+    <util:list id="shibboleth.AvailableAdminFlows">
+
+        <!-- Status Page -->
+        <bean parent="shibboleth.AdminFlow"
+            c:id="http://shibboleth.net/ns/profiles/status"
+            p:loggingId="%{idp.service.logging.status:Status}"
+            p:policyName="%{idp.status.accessPolicy:AccessByIPAddress}" />
+
+        <!-- Service Reload -->
+        <bean parent="shibboleth.AdminFlow"
+            c:id="http://shibboleth.net/ns/profiles/reload-service-configuration"
+            p:loggingId="%{idp.service.logging.serviceReload:Reload}"
+            p:policyName="%{idp.reload.accessPolicy:AccessByIPAddress}" />
+
+        <!-- MetadataResolver Reload -->
+        <bean parent="shibboleth.AdminFlow"
+            c:id="http://shibboleth.net/ns/profiles/reload-metadata"
+            p:loggingId="%{idp.service.logging.serviceReload:Reload}"
+            p:policyName="%{idp.reload.accessPolicy:AccessByIPAddress}" />
+
+        <!-- AttributeResolver Debugging -->
+        <bean parent="shibboleth.AdminFlow"
+            c:id="http://shibboleth.net/ns/profiles/resolvertest"
+            p:loggingId="%{idp.service.logging.resolvertest:ResolverTest}"
+            p:policyName="%{idp.resolvertest.accessPolicy:AccessByIPAddress}" />
+
+        <!-- REST StorageService Access -->
+        <bean parent="shibboleth.AdminFlow"
+            c:id="http://shibboleth.net/ns/profiles/storage"
+            p:loggingId="Storage"
+            p:policyName="AccessByIPAddress" />
+
+        <!-- REST Interface to Metrics -->
+        <bean parent="shibboleth.AdminFlow"
+            c:id="http://shibboleth.net/ns/profiles/metrics"
+            p:loggingId="Metrics"
+            p:policyNameLookupStrategy-ref="shibboleth.metrics.AccessPolicyStrategy" />
+
+    </util:list>
+
+</beans>