First commit of template for Shibboleth SP

comanage-registry-shibboleth-sp/000-comanage.conf

@@ -0,0 +1,46 @@
+<VirtualHost *:80>
+  RewriteEngine On
+  RewriteCond %{HTTPS} off
+  RewriteRule ^ https://%{HTTP_HOST}:443%{REQUEST_URI} [R=302,L,QSA]
+</VirtualHost>
+
+<VirtualHost *:443>
+
+  DocumentRoot /var/www/html
+
+  RedirectMatch ^/$ /registry/
+
+  ErrorLog ${APACHE_LOG_DIR}/error.log
+  CustomLog ${APACHE_LOG_DIR}/access.log combined
+
+  LogLevel warn
+
+  Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains"
+
+  SSLEngine on
+  SSLProtocol all -SSLv2 -SSLv3
+  SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH
+  SSLHonorCipherOrder on
+
+  SSLCertificateFile /etc/apache2/cert.pem
+  SSLCertificateKeyFile /etc/apache2/privkey.pem
+  SSLCertificateChainFile /etc/apache2/chain.pem
+
+  <Directory /var/www/html/registry>
+    Options Indexes FollowSymLinks
+    DirectoryIndex index.php
+    AllowOverride All
+    Require all granted
+  </Directory>
+
+  <Location "/Shibboleth.sso">
+    SetHandler shib
+  </Location>
+
+  <Directory /var/www/html/registry/auth/login>
+    AuthType shibboleth
+    ShibRequestSetting requireSession 1
+    Require valid-user
+  </Directory>
+
+</VirtualHost>

comanage-registry-shibboleth-sp/Dockerfile.template

@@ -0,0 +1,242 @@
+# Copyright (C) 2017 Spherical Cow Group
+# 
+# Licensed under the Apache License, Version 2.0 (the "License"); you may not use this file except in compliance with
+# the License. You may obtain a copy of the License at
+# 
+# http://www.apache.org/licenses/LICENSE-2.0
+# 
+# Unless required by applicable law or agreed to in writing, software distributed under
+# the License is distributed on an "AS IS" BASIS, WITHOUT WARRANTIES OR CONDITIONS OF ANY
+# KIND, either express or implied. See the License for the specific language governing
+# permissions and limitations under the License.
+
+# Official PHP image with Apache HTTPD includes
+# --with-openssl
+# --with-mbstring
+# but xls, pdo, pdo_mysql, pdo_pgsql, mysqli, pgsql, 
+# and ldap extensions must be built.
+FROM php:7.0-apache
+
+RUN apt-get update \
+      && apt-get install -y --no-install-recommends \
+            apache2-dev \
+            file \
+            gcc \
+            g++ \
+            libboost-dev \
+            libcurl4-openssl-dev \
+            libssl-dev \
+            libssl1.0.0 \
+            make \
+            wget 
+
+ARG LOG4SHIB_URL=http://shibboleth.net/downloads/log4shib/latest/log4shib-1.0.9.tar.gz
+
+RUN wget -O log4shib.tar.gz "${LOG4SHIB_URL}" \
+      && mkdir -p src \
+      && tar -zxf log4shib.tar.gz -C src --strip-components=1 \
+      && rm -f log4shib.tar.gz \
+      && cd src \
+      && LD_FLAGS=-lpthread CXXFLAGS=-fPIC ./configure --disable-static \
+            --disable-doxygen \ 
+            --prefix=/opt/shibboleth-sp \
+            --build=x86_64 \
+      && LD_FLAGS=-lpthread make \
+      && make install \
+      && cd .. \
+      && rm -r src 
+
+ARG XERCESC_URL=http://ftp.wayne.edu/apache/xerces/c/3/sources/xerces-c-3.1.4.tar.gz
+
+RUN wget -O xerces.tar.gz "${XERCESC_URL}" \
+      && mkdir -p src \
+      && tar -zxf xerces.tar.gz -C src --strip-components=1 \
+      && rm -f xerces.tar.gz \
+      && cd src \
+      && ./configure --prefix=/opt/shibboleth-sp \
+      && make \
+      && make install \
+      && cd .. \
+      && rm -r src 
+
+ARG XMLSECC_URL=http://ftp.wayne.edu/apache/santuario/c-library/xml-security-c-1.7.3.tar.gz
+
+RUN wget -O xmlsecc.tar.gz "${XMLSECC_URL}" \
+      && mkdir -p src \
+      && tar -zxf xmlsecc.tar.gz -C src --strip-components=1 \
+      && rm -f xmlsecc.tar.gz \
+      && cd src \
+      && ./configure --prefix=/opt/shibboleth-sp \
+            --with-xerces=/opt/shibboleth-sp \
+            --with-openssl=/usr \
+            --disable-static \
+            --without-xalan \
+      && make \
+      && make install \
+      && cd .. \
+      && rm -r src 
+
+ARG XMLTOOLING_URL=http://shibboleth.net/downloads/c++-opensaml/latest/xmltooling-1.6.0.tar.gz
+
+RUN wget -O xmltooling.tar.gz "${XMLTOOLING_URL}" \
+      && mkdir -p src \
+      && tar -zxf xmltooling.tar.gz -C src --strip-components=1 \
+      && rm -f xmltooling.tar.gz \
+      && cd src \
+      && CXXFLAGS=-fPIC ./configure --prefix=/opt/shibboleth-sp \
+            --with-log4shib=/opt/shibboleth-sp \
+            -C \
+      && make \
+      && make install \
+      && cd .. \
+      && rm -r src 
+
+ARG OPENSAMLC_URL=http://shibboleth.net/downloads/c++-opensaml/latest/opensaml-2.6.0.tar.gz
+
+RUN wget -O opensamlc.tar.gz "${OPENSAMLC_URL}" \
+      && mkdir -p src \
+      && tar -zxf opensamlc.tar.gz -C src --strip-components=1 \
+      && rm -f opensamlc.tar.gz \
+      && cd src \
+      && ./configure --prefix=/opt/shibboleth-sp \
+            --with-log4shib=/opt/shibboleth-sp \
+            -C \
+      && make \
+      && make install \
+      && cd .. \
+      && rm -r src 
+
+ARG SHIBBOLETH_SP_URL=http://shibboleth.net/downloads/service-provider/latest/shibboleth-sp-2.6.0.tar.gz
+
+RUN wget -O shibboleth-sp.tar.gz "${SHIBBOLETH_SP_URL}" \
+      && mkdir -p src \
+      && tar -zxf shibboleth-sp.tar.gz -C src --strip-components=1 \
+      && rm -f shibboleth-sp.tar.gz \
+      && cd src \
+      && ./configure --prefix=/opt/shibboleth-sp \
+            --with-log4shib=/opt/shibboleth-sp \
+            --with-saml=/opt/shibboleth-sp \
+            --with-xerces=/opt/shibboleth-sp \
+            --with-xmlsec=/opt/shibboleth-sp \
+            --with-xmltooling=/opt/shibboleth-sp \
+            --enable-apache-24 \
+            --with-apxs24=/usr/bin/apxs \
+            --disable-adfs \
+            --disable-obc \
+      && make \
+      && make install \
+      && cd .. \
+      && rm -r src 
+
+COPY shib2.load /etc/apache2/mods-available
+
+RUN /usr/sbin/useradd --system _shibd \
+      && mkdir -p /var/run/shibboleth \
+      && chown _shibd:_shibd /var/run/shibboleth \
+      && chown -R _shibd:_shibd /opt/shibboleth-sp/var \
+      && cp -a /opt/shibboleth-sp/etc/shibboleth /etc/shibboleth \
+      && chown _shibd:_shibd /etc/shibboleth/sp-cert.pem \
+      && chown _shibd:_shibd /etc/shibboleth/sp-key.pem \
+      && cd /opt/shibboleth-sp/etc \
+      && rm -rf shibboleth \
+      && ln -s /etc/shibboleth shibboleth \
+      && a2enmod shib2 \
+      && apt-get install -y --no-install-recommends supervisor \
+      && mkdir -p /var/log/supervisor
+
+COPY supervisord.conf /etc/supervisor/conf.d/supervisord.conf
+
+ARG COMANAGE_REGISTRY_VERSION=%%COMANAGE_REGISTRY_VERSION%%
+ARG COMANAGE_REGISTRY_SRC_URL=https://github.com/Internet2/comanage-registry/archive/$COMANAGE_REGISTRY_VERSION.tar.gz
+
+LABEL comanage_registry_version=$COMANAGE_REGISTRY_VERSION
+LABEL comanage_registry_src_url=$COMANAGE_REGISTRY_SRC_URL
+
+ENV COMANAGE_REGISTRY_DIR /srv/comanage-registry
+
+RUN apt-get update && apt-get install -y \
+         libldap-2.4-2 \
+         libldap2-dev \
+         libmysqlclient18 \
+         libmysqlclient-dev \
+         libpq-dev \
+         libxml2 \
+         libxslt1-dev \
+         libxslt1.1 \
+         ssl-cert \
+         wget \
+         zlib1g \
+      && docker-php-ext-configure pgsql -with-pgsql=/usr/local/pgsql \
+      && docker-php-ext-configure ldap --with-libdir=lib/x86_64-linux-gnu \
+      && docker-php-ext-configure mysqli --with-mysqli=/usr/bin/mysql_config \
+      && docker-php-ext-install xsl pdo pdo_mysql pdo_pgsql mysqli pgsql ldap \
+      && docker-php-source delete \
+      && apt-get purge -y \
+         libldap2-dev \
+         libmysqlclient-dev \
+         libpq-dev \
+         apache2-dev \
+         file \
+         gcc \
+         g++ \
+         libboost-dev \
+         libcurl4-openssl-dev \
+         libssl-dev \
+         make \
+      && apt-get clean
+
+WORKDIR "$COMANAGE_REGISTRY_DIR"
+
+COPY 000-comanage.conf /etc/apache2/sites-available/000-comanage.conf
+
+RUN mkdir -p "$COMANAGE_REGISTRY_DIR" \
+      && wget -O comanage.tar.gz $COMANAGE_REGISTRY_SRC_URL \
+      && tar -zxf comanage.tar.gz -C "$COMANAGE_REGISTRY_DIR" --strip-components=1 \
+      && rm -f comanage.tar.gz \
+      && rm -f "$COMANAGE_REGISTRY_DIR/app/tmp" \
+      && cp -r "$COMANAGE_REGISTRY_DIR/app/tmp.dist" "$COMANAGE_REGISTRY_DIR/app/tmp" \
+      && chown -R www-data:www-data "$COMANAGE_REGISTRY_DIR/app/tmp" \
+      && cd /var/www/html \
+      && ln -s "$COMANAGE_REGISTRY_DIR/app/webroot" registry \
+      && cd "$COMANAGE_REGISTRY_DIR" \
+      && rm -rf local \
+      && mkdir -p /local \
+      && ln -s /local local \
+      && a2enmod headers \
+      && a2enmod ssl \
+      && a2enmod rewrite \
+      && a2dissite 000-default.conf \
+      && a2ensite 000-comanage.conf \
+      && a2disconf other-vhosts-access-log \
+      && cd /etc/apache2 \
+      && ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem cert.pem \
+      && ln -s /etc/ssl/private/ssl-cert-snakeoil.key privkey.pem \
+      && ln -s /etc/ssl/certs/ssl-cert-snakeoil.pem chain.pem  \
+      && sed -ie 's/'"'"'engine'"'"' => '"'"'FileLog'"'"'/'"'"'engine'"'"' => '"'"'ConsoleLog'"'"'/' "$COMANAGE_REGISTRY_DIR/app/Config/bootstrap.php" 
+
+COPY docker-comanage-entrypoint /usr/local/bin/
+
+# expose COmanage Registry local directory
+VOLUME ["/local"]
+
+WORKDIR /var/www/html
+
+EXPOSE 80 443
+
+# Default values for first administrator bootstrapped
+# into the platform, most likely overridden at build time
+# using build arguments.
+ARG COMANAGE_REGISTRY_ADMIN_GIVEN_NAME
+ARG COMANAGE_REGISTRY_ADMIN_FAMILY_NAME
+ARG COMANAGE_REGISTRY_ADMIN_USERNAME
+ARG COMANAGE_REGISTRY_ENABLE_POOLING
+
+ENV COMANAGE_REGISTRY_ADMIN_GIVEN_NAME ${COMANAGE_REGISTRY_ADMIN_GIVEN_NAME:-Registry}
+ENV COMANAGE_REGISTRY_ADMIN_FAMILY_NAME ${COMANAGE_REGISTRY_ADMIN_FAMILY_NAME:-Admin}
+ENV COMANAGE_REGISTRY_ADMIN_USERNAME ${COMANAGE_REGISTRY_ADMIN_USERNAME:-registry.admin}
+ENV COMANAGE_REGISTRY_ENABLE_POOLING ${COMANAGE_REGISTRY_ENABLE_POOLING:-No}
+
+# expose Shibboleth SP configuration files
+VOLUME ["/etc/shibboleth"]
+
+ENTRYPOINT ["/usr/bin/supervisord"]