Skip to content
Permalink
Browse files

Disable Shib if not needed; add env var checks

If AUTHENTICATION=internal we avoid loading mod_shib and starting shibd.
Also added environment variable checks so if some are missing due to
wrong Docker composition, midPoint will inform user in a reasonable way.
  • Loading branch information
mederly committed Oct 3, 2018
1 parent 7112899 commit 2fc6232c60bdd051163f3aecbe716e1506cfda43
@@ -35,6 +35,10 @@ RUN chmod 755 /opt/tier/setenv.sh \
&& chmod 755 /usr/local/bin/healthcheck.sh

RUN cp /dev/null /etc/httpd/conf.d/ssl.conf \
&& mv /etc/httpd/conf.d/shib.conf shib.conf.auth.shibboleth \
&& touch /etc/httpd/conf.d/shib.conf.auth.internal \
&& mv /etc/httpd/conf.modules.d/00-shib.conf 00-shib.conf.auth.shibboleth \
&& touch /etc/httpd/conf.modules.d/00-shib.conf.auth.internal \
&& sed -i 's/LogFormat "/LogFormat "httpd;access_log;%{ENV}e;%{USERTOKEN}e;/g' /etc/httpd/conf/httpd.conf \
&& echo -e "\nErrorLogFormat \"httpd;error_log;%{ENV}e;%{USERTOKEN}e;[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i\"" >> /etc/httpd/conf/httpd.conf \
&& sed -i 's/CustomLog "logs\/access_log"/CustomLog "\/tmp\/loghttpd"/g' /etc/httpd/conf/httpd.conf \
@@ -82,7 +86,7 @@ ENV AUTHENTICATION internal
ENV SSO_HEADER uid
ENV AJP_ENABLED true
ENV AJP_PORT 9090
ENV MP_LOGOUT_URL https://localhost:8443/Shibboleth.sso/Logout
ENV LOGOUT_URL https://localhost:8443/Shibboleth.sso/Logout

# Other parameters

@@ -1,7 +1,7 @@
#!/bin/bash

function resolvePort() {
if [ $REPO_PORT == "default" ]; then
if [[ $REPO_PORT == "default" ]]; then
case $REPO_DATABASE_TYPE in
mariadb)
echo 3306
@@ -26,7 +26,7 @@ function resolvePort() {
fi
}

if [ $REPO_JDBC_URL == "default" ]; then
if [[ $REPO_JDBC_URL == "default" ]]; then
REPO_PORT=$( resolvePort )
case $REPO_DATABASE_TYPE in
mariadb)
@@ -4,5 +4,21 @@ echo "Linking secrets and config files; using authentication: $AUTHENTICATION"
ln -sf /run/secrets/mp_sp-key.pem /etc/shibboleth/sp-key.pem
ln -sf /run/secrets/mp_host-key.pem /etc/pki/tls/private/host-key.pem
ln -sf /etc/httpd/conf.d/midpoint.conf.auth.$AUTHENTICATION /etc/httpd/conf.d/midpoint.conf
ln -sf /etc/httpd/conf.d/shib.conf.auth.$AUTHENTICATION /etc/httpd/conf.d/shib.conf
ln -sf /etc/httpd/conf.modules.d/00-shib.conf.auth.$AUTHENTICATION /etc/httpd/conf.modules.d/00-shib.conf

httpd-shib-foreground
case $AUTHENTICATION in
shibboleth)
echo "*** Starting httpd WITH Shibboleth support"
httpd-shib-foreground
;;
internal)
echo "*** Starting httpd WITHOUT Shibboleth support"
rm -f /etc/httpd/logs/httpd.pid /run/httpd/httpd.pid
httpd -DFOREGROUND
;;
*)
echo "*** Couldn't start httpd: unsupported AUTHENTICATION variable value: '$AUTHENTICATION'"
sleep infinity
;;
esac
@@ -1,5 +1,28 @@
#!/bin/bash

function check () {
local VARNAME=$1
if [ -z ${!VARNAME} ]; then
echo "*** Couldn't start midPoint: $VARNAME variable is undefined. Please check your Docker composition."
exit 1
fi
}

# These variables have reasonable defaults in Dockerfile. So we will _not_ supply defaults here.
# The composer or user has to make sure they are well defined.

check MP_MEM
check MP_DIR
check REPO_DATABASE_TYPE
check REPO_USER
check REPO_PASSWORD_FILE
check REPO_MISSING_SCHEMA_ACTION
check REPO_UPGRADEABLE_SCHEMA_ACTION
check MP_KEYSTORE_PASSWORD_FILE
check SSO_HEADER
check AJP_ENABLED
check AJP_PORT

java -Xmx$MP_MEM -Xms2048m -Dfile.encoding=UTF8 \
-Dmidpoint.home=$MP_DIR/var \
-Dmidpoint.repository.database=$REPO_DATABASE_TYPE \
@@ -17,8 +40,7 @@ java -Xmx$MP_MEM -Xms2048m -Dfile.encoding=UTF8 \
-Dmidpoint.logging.alt.filename=/tmp/logmidpoint \
-Dmidpoint.logging.alt.timezone=UTC \
-Dspring.profiles.active="`$MP_DIR/active-spring-profiles`" \
-Dauth.sso.header=$SSO_HEADER \
$(if [ "$AUTHENTICATION" = "shibboleth" ]; then echo "-Dauth.logout.url=$MP_LOGOUT_URL"; fi) \
$(if [ "$AUTHENTICATION" = "shibboleth" ]; then echo "-Dauth.logout.url=$LOGOUT_URL -Dauth.sso.header=$SSO_HEADER"; fi) \
-Dserver.tomcat.ajp.enabled=$AJP_ENABLED \
-Dserver.tomcat.ajp.port=$AJP_PORT \
-Dlogging.path=/tmp/logtomcat \

0 comments on commit 2fc6232

Please sign in to comment.
You can’t perform that action at this time.