Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
Browse the repository at this point in the history
Improved Shibboleth SP integration
Better injection of configuration details and configuration of supervisord.
Showing
4 changed files
with
159 additions
and
3 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
99 changes: 99 additions & 0 deletions
99
comanage-registry-shibboleth-sp/docker-comanage-shibboleth-sp-entrypoint
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,99 @@ | ||
| #!/bin/bash | ||
|
|
||
| # COmanage Registry Shibboleth SP Dockerfile entrypoint | ||
| # | ||
| # Portions licensed to the University Corporation for Advanced Internet | ||
| # Development, Inc. ("UCAID") under one or more contributor license agreements. | ||
| # See the NOTICE file distributed with this work for additional information | ||
| # regarding copyright ownership. | ||
| # | ||
| # UCAID licenses this file to you under the Apache License, Version 2.0 | ||
| # (the "License"); you may not use this file except in compliance with the | ||
| # License. You may obtain a copy of the License at: | ||
| # | ||
| # http://www.apache.org/licenses/LICENSE-2.0 | ||
| # | ||
| # Unless required by applicable law or agreed to in writing, software | ||
| # distributed under the License is distributed on an "AS IS" BASIS, | ||
| # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. | ||
| # See the License for the specific language governing permissions and | ||
| # limitations under the License. | ||
|
|
||
| if [ -n "$COMANAGE_DEBUG" ] | ||
| then | ||
| OUTPUT=/dev/stdout | ||
| else | ||
| OUTPUT=/dev/null | ||
| fi | ||
|
|
||
| # Configuration details that may be injected through environment | ||
| # variables or the contents of files. | ||
|
|
||
| injectable_config_vars=( | ||
| SHIBBOLETH_SP_ENTITY_ID | ||
| SHIBBOLETH_SP_CERT | ||
| SHIBBOLETH_SP_PRIVKEY | ||
| SHIBBOLETH_SP_SAMLDS_URL | ||
| SHIBBOLETH_SP_METADATA_PROVIDER_XML | ||
| ) | ||
|
|
||
| # If the file associated with a configuration variable is present then | ||
| # read the value from it into the appropriate variable. So for example | ||
| # if the variable COMANAGE_REGISTRY_DATASOURCE_FILE exists and its | ||
| # value points to a file on the file system then read the contents | ||
| # of that file into the variable COMANAGE_REGISTRY_DATASOURCE. | ||
|
|
||
| for config_var in "${injectable_config_vars[@]}" | ||
| do | ||
| eval file_name=\$"${config_var}_FILE"; | ||
|
|
||
| if [ -e "$file_name" ]; then | ||
| declare "${config_var}"=`cat $file_name` | ||
| fi | ||
| done | ||
|
|
||
| # If no shibboleth2.xml file is present then create one using | ||
| # injected information or defaults that are not particularly | ||
| # useful in a federated context but will allow shibd to start. | ||
| if [ ! -e /etc/shibboleth/shibboleth2.xml ]; then | ||
| cp /etc/shibboleth/shibboleth2.xml.template /etc/shibboleth/shibboleth2.xml | ||
| sed -i -e s@%%SHIBBOLETH_SP_ENTITY_ID%%@"${SHIBBOLETH_SP_ENTITY_ID:-https://comanage.registry/shibboleth}"@ /etc/shibboleth/shibboleth2.xml | ||
| sed -i -e s@%%SHIBBOLETH_SP_SAMLDS_URL%%@"${SHIBBOLETH_SP_SAMLDS_URL:-https://localhost/registry/pages/eds/index}"@ /etc/shibboleth/shibboleth2.xml | ||
|
|
||
| # The metadata provider injected input most likely contains special characters | ||
| # so use a sed script instead of simple substitution on the command line. | ||
|
|
||
| if [ -n "$SHIBBOLETH_SP_METADATA_PROVIDER_XML_FILE" ]; then | ||
| xml_content_file="$SHIBBOLETH_SP_METADATA_PROVIDER_XML_FILE" | ||
| else | ||
| xml_content_file=`/bin/mktemp` | ||
| echo ${SHIBBOLETH_SP_METADATA_PROVIDER_XML:-} > ${xml_content_file} | ||
| fi | ||
|
|
||
| sed_script_file=`/bin/mktemp` | ||
| cat >> ${sed_script_file}<<EOF | ||
| /%%SHIBBOLETH_SP_METADATA_PROVIDER_XML%%/ { | ||
| r ${xml_content_file} | ||
| d | ||
| } | ||
| EOF | ||
|
|
||
| sed -i -f ${sed_script_file} /etc/shibboleth/shibboleth2.xml | ||
|
|
||
| chmod 0644 /etc/shibboleth/shibboleth2.xml | ||
| fi | ||
|
|
||
| # If defined use configured location of Shibboleth SP SAML certificate and key. | ||
| if [ -n "$SHIBBOLETH_SP_CERT" ]; then | ||
| cp "$SHIBBOLETH_SP_CERT" /etc/shibboleth/sp-cert.pem | ||
| chown _shibd /etc/shibboleth/sp-cert.pem | ||
| chmod 0644 /etc/shibboleth/sp-cert.pem | ||
| fi | ||
|
|
||
| if [ -n "$SHIBBOLETH_SP_PRIVKEY" ]; then | ||
| cp "$SHIBBOLETH_SP_PRIVKEY" /etc/shibboleth/sp-key.pem | ||
| chown _shibd /etc/shibboleth/sp-key.pem | ||
| chmod 0600 /etc/shibboleth/sp-key.pem | ||
| fi | ||
|
|
||
| exec /opt/shibboleth-sp/sbin/shibd -f -u _shibd -g _shibd -c /etc/shibboleth/shibboleth2.xml -p /var/run/shibboleth/shibd.pid -F |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,51 @@ | ||
| <SPConfig xmlns="urn:mace:shibboleth:2.0:native:sp:config" | ||
| xmlns:conf="urn:mace:shibboleth:2.0:native:sp:config" | ||
| xmlns:saml="urn:oasis:names:tc:SAML:2.0:assertion" | ||
| xmlns:samlp="urn:oasis:names:tc:SAML:2.0:protocol" | ||
| xmlns:md="urn:oasis:names:tc:SAML:2.0:metadata" | ||
| logger="/etc/shibboleth/console.logger" | ||
| clockSkew="180"> | ||
|
|
||
| <ApplicationDefaults entityID="%%SHIBBOLETH_SP_ENTITY_ID%%" | ||
| REMOTE_USER="eppn persistent-id targeted-id"> | ||
|
|
||
| <Sessions lifetime="28800" timeout="3600" relayState="ss:mem" | ||
| checkAddress="false" handlerSSL="true" cookieProps="https" > | ||
|
|
||
| <SSO discoveryProtocol="SAMLDS" | ||
| discoveryURL="%%SHIBBOLETH_SP_SAMLDS_URL%%" > | ||
| SAML2 | ||
| </SSO> | ||
|
|
||
| <Logout>Local</Logout> | ||
|
|
||
| <Handler type="MetadataGenerator" Location="/Metadata" signing="false"/> | ||
|
|
||
| <Handler type="Status" Location="/Status" acl="127.0.0.1 ::1"/> | ||
|
|
||
| <Handler type="Session" Location="/Session" showAttributeValues="true"/> | ||
|
|
||
| <Handler type="DiscoveryFeed" Location="/DiscoFeed"/> | ||
| </Sessions> | ||
|
|
||
| <Errors supportContact="root@localhost" | ||
| helpLocation="/about.html" | ||
| styleSheet="/shibboleth-sp/main.css"/> | ||
|
|
||
| %%SHIBBOLETH_SP_METADATA_PROVIDER_XML%% | ||
|
|
||
| <AttributeExtractor type="XML" validate="true" reloadChanges="false" path="attribute-map.xml"/> | ||
|
|
||
| <AttributeResolver type="Query" subjectMatch="true"/> | ||
|
|
||
| <AttributeFilter type="XML" validate="true" path="attribute-policy.xml"/> | ||
|
|
||
| <CredentialResolver type="File" key="sp-key.pem" certificate="sp-cert.pem"/> | ||
|
|
||
| </ApplicationDefaults> | ||
|
|
||
| <SecurityPolicyProvider type="XML" validate="true" path="security-policy.xml"/> | ||
|
|
||
| <ProtocolProvider type="XML" validate="true" reloadChanges="false" path="protocols.xml"/> | ||
|
|
||
| </SPConfig> |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters