Migrate Shib in demo/shibboleth to TIER one

Plus a couple of minor fixes.

demo/shibboleth/configs-and-secrets/midpoint/shibboleth/idp-metadata.xml

@@ -104,10 +104,10 @@ p+tGUbGS2l873J5PrsbpeKEVR/IIoKo=
         <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
         <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
 
-        <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://localhost:4443/idp/profile/Shibboleth/SSO"/>
-        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:4443/idp/profile/SAML2/POST/SSO"/>
-        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://localhost:4443/idp/profile/SAML2/POST-SimpleSign/SSO"/>
-        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost:4443/idp/profile/SAML2/Redirect/SSO"/>
+        <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://localhost/idp/profile/Shibboleth/SSO"/>
+        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost/idp/profile/SAML2/POST/SSO"/>
+        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://localhost/idp/profile/SAML2/POST-SimpleSign/SSO"/>
+        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost/idp/profile/SAML2/Redirect/SSO"/>
 
     </IDPSSODescriptor>
 

demo/shibboleth/configs-and-secrets/shibboleth/idp-metadata.xml

@@ -104,10 +104,10 @@ p+tGUbGS2l873J5PrsbpeKEVR/IIoKo=
         <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
         <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
 
-        <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://localhost:4443/idp/profile/Shibboleth/SSO"/>
-        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:4443/idp/profile/SAML2/POST/SSO"/>
-        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://localhost:4443/idp/profile/SAML2/POST-SimpleSign/SSO"/>
-        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost:4443/idp/profile/SAML2/Redirect/SSO"/>
+        <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://localhost/idp/profile/Shibboleth/SSO"/>
+        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost/idp/profile/SAML2/POST/SSO"/>
+        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://localhost/idp/profile/SAML2/POST-SimpleSign/SSO"/>
+        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost/idp/profile/SAML2/Redirect/SSO"/>
 
     </IDPSSODescriptor>
 

demo/shibboleth/directory/Dockerfile

@@ -27,4 +27,4 @@ EXPOSE 389
 
 # temporary!
 
-CMD rm -rf /var/lock/dirsrv/slapd-dir/server/* && /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-dir && sleep 100000000
+CMD rm -rf /var/lock/dirsrv/slapd-dir/server/* && /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-dir && sleep infinity

demo/shibboleth/docker-compose.yml

@@ -76,7 +76,7 @@ services:
     depends_on:
      - directory
     ports:
-     - 4443:4443
+     - 443:443
     environment:
      - JETTY_MAX_HEAP=64m
      - JETTY_BROWSER_SSL_KEYSTORE_PASSWORD=password

demo/shibboleth/idp/Dockerfile

@@ -1,4 +1,4 @@
-FROM unicon/shibboleth-idp:latest
+FROM tier/shib-idp:181001
 
 LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>"
 

demo/shibboleth/idp/shibboleth-idp/metadata/idp-metadata.xml

@@ -104,10 +104,10 @@ p+tGUbGS2l873J5PrsbpeKEVR/IIoKo=
         <NameIDFormat>urn:mace:shibboleth:1.0:nameIdentifier</NameIDFormat>
         <NameIDFormat>urn:oasis:names:tc:SAML:2.0:nameid-format:transient</NameIDFormat>
 
-        <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://localhost:4443/idp/profile/Shibboleth/SSO"/>
-        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost:4443/idp/profile/SAML2/POST/SSO"/>
-        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://localhost:4443/idp/profile/SAML2/POST-SimpleSign/SSO"/>
-        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost:4443/idp/profile/SAML2/Redirect/SSO"/>
+        <SingleSignOnService Binding="urn:mace:shibboleth:1.0:profiles:AuthnRequest" Location="https://localhost/idp/profile/Shibboleth/SSO"/>
+        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST" Location="https://localhost/idp/profile/SAML2/POST/SSO"/>
+        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST-SimpleSign" Location="https://localhost/idp/profile/SAML2/POST-SimpleSign/SSO"/>
+        <SingleSignOnService Binding="urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect" Location="https://localhost/idp/profile/SAML2/Redirect/SSO"/>
 
     </IDPSSODescriptor>
 

demo/shibboleth/tests/main.bats

@@ -20,24 +20,28 @@ load ../../../library
     wait_for_midpoint_start shibboleth_midpoint_server_1
 }
 
-@test "030 Check health" {
+@test "030 Check health (midPoint)" {
     check_health
 }
 
+@test "035 Check health (Shibboleth IdP)" {
+    check_health_shibboleth_idp
+}
+
 @test "040 Check Shibboleth redirection (/midpoint)" {
-    curl -k --write-out %{redirect_url} --silent --output /dev/null https://localhost:8443/midpoint | grep 'https:\/\/localhost:4443\/idp\/profile\/SAML2\/Redirect'
+    curl -k --write-out %{redirect_url} --silent --output /dev/null https://localhost:8443/midpoint | grep 'https:\/\/localhost\/idp\/profile\/SAML2\/Redirect'
 }
 
 @test "041 Check Shibboleth redirection (/midpoint/)" {
-    curl -k --write-out %{redirect_url} --silent --output /dev/null https://localhost:8443/midpoint/ | grep 'https:\/\/localhost:4443\/idp\/profile\/SAML2\/Redirect'
+    curl -k --write-out %{redirect_url} --silent --output /dev/null https://localhost:8443/midpoint/ | grep 'https:\/\/localhost\/idp\/profile\/SAML2\/Redirect'
 }
 
 @test "042 Check Shibboleth redirection (/midpoint/login)" {
-    curl -k --write-out %{redirect_url} --silent --output /dev/null https://localhost:8443/midpoint/login | grep 'https:\/\/localhost:4443\/idp\/profile\/SAML2\/Redirect'
+    curl -k --write-out %{redirect_url} --silent --output /dev/null https://localhost:8443/midpoint/login | grep 'https:\/\/localhost\/idp\/profile\/SAML2\/Redirect'
 }
 
 @test "043 Check Shibboleth redirection (/midpoint/something)" {
-    curl -k --write-out %{redirect_url} --silent --output /dev/null https://localhost:8443/midpoint/something | grep 'https:\/\/localhost:4443\/idp\/profile\/SAML2\/Redirect'
+    curl -k --write-out %{redirect_url} --silent --output /dev/null https://localhost:8443/midpoint/something | grep 'https:\/\/localhost\/idp\/profile\/SAML2\/Redirect'
 }
 
 @test "044 Check SOAP without Shibboleth redirection (/midpoint/ws/)" {

library.bash

@@ -20,14 +20,14 @@ function generic_wait_for_log () {
         echo "Waiting $DELAY seconds for $WAITING_FOR (attempt $ATTEMPT) ..."
         sleep $DELAY
         docker ps
-        ( docker logs $CONTAINER_NAME 2>&1 | grep "$MESSAGE" ) && return 0
+        ( docker logs $CONTAINER_NAME 2>&1 | grep -F "$MESSAGE" ) && return 0
     done
 
     echo "$FAILURE" in $(( $MAX_ATTEMPTS * $DELAY )) seconds in $CONTAINER_NAME
     echo "========== Container log =========="
     docker logs $CONTAINER_NAME 2>&1
     echo "========== End of the container log =========="
-    if [ -n "ADDITIONAL_CONTAINER_NAME" ]; then
+    if [ -n "$ADDITIONAL_CONTAINER_NAME" ]; then
         echo "========== Container log ($ADDITIONAL_CONTAINER_NAME) =========="
         docker logs $ADDITIONAL_CONTAINER_NAME 2>&1
         echo "========== End of the container log ($DATABASE_CONTAINER_NAME) =========="
@@ -46,10 +46,15 @@ function wait_for_midpoint_start () {
 }
 
 # Waits until Shibboleth IDP starts
-function wait_for_shibboleth_idp_start () {
+function wait_for_shibboleth_idp_start_old () {
     generic_wait_for_log $1 "INFO:oejs.Server:main: Started" "shibboleth idp to start" "shibboleth idp did not start" $2
 }
 
+# Waits until Shibboleth IDP starts
+function wait_for_shibboleth_idp_start () {
+    generic_wait_for_log $1 "[main] INFO  org.apache.catalina.startup.Catalina- Server startup in" "shibboleth idp to start" "shibboleth idp did not start" $2
+}
+
 # Waits until Grouper UI starts
 function wait_for_grouper_ui_start () {
     generic_wait_for_log $1 "INFO  org.apache.catalina.startup.Catalina- Server startup in" "grouper ui to start" "grouper ui did not start" $2
@@ -71,7 +76,7 @@ function check_health () {
 }
 
 # Checks the health of Shibboleth IDP server
-function check_health_shibboleth_idp () {
+function check_health_shibboleth_idp_old () {
     echo Checking health of shibboleth idp...
     status="$(curl -k --write-out %{http_code} --silent --output /dev/null https://localhost:4443/idp/)"
     if [ $status -ne 200 ]; then
@@ -84,6 +89,19 @@ function check_health_shibboleth_idp () {
     fi
 }
 
+function check_health_shibboleth_idp () {
+    echo Checking health of shibboleth idp...
+    status="$(curl -k --write-out %{http_code} --silent --output /dev/null https://localhost/idp/)"
+    if [ $status -ne 200 ]; then
+        echo Error: Http code of response is $status
+        docker ps
+        return 1
+    else
+        echo OK
+        return 0
+    fi
+}
+
 # Result is in OUTFILE
 function get_object () {
     local TYPE=$1