From 3b4961a8cd513ef3514b78830187bdb2b841effd Mon Sep 17 00:00:00 2001 From: Paul Caskey Date: Thu, 25 Apr 2019 08:31:33 -0500 Subject: [PATCH 01/12] Create rotateSealerKey.sh --- container_files/idp/rotateSealerKey.sh | 58 ++++++++++++++++++++++++++ 1 file changed, 58 insertions(+) create mode 100644 container_files/idp/rotateSealerKey.sh diff --git a/container_files/idp/rotateSealerKey.sh b/container_files/idp/rotateSealerKey.sh new file mode 100644 index 0000000..5939eca --- /dev/null +++ b/container_files/idp/rotateSealerKey.sh @@ -0,0 +1,58 @@ +#!/bin/bash + +set -e +set -u + +# Default IDP_HOME if not already set +if [ ! -d "${IDP_HOME:=/opt/shibboleth-idp}" ] +then + echo "ERROR: Directory does not exist: ${IDP_HOME}" >&2 + exit 1 +fi + +function get_config { + # Key to lookup (escape . for regex lookup) + local KEY=${1:?"No key provided to look up value"} + # Passed default value + local DEFAULT="${2:-}" + # Lookup key, strip spaces, replace idp.home with IDP_HOME value + local RESULT=$(sed -rn '/^'"${KEY//./\\.}"'\s*=/ { s|^[^=]*=(.*)\s*$|\1|; s|%\{idp\.home\}|'"${IDP_HOME}"'|g; p}' ${IDP_HOME}/conf/idp.properties) + # Set if no result with default - exit if no default + echo ${RESULT:-${DEFAULT:?"No value in config and no default defined for: '${KEY}'"}} +} + +# Get config values +## Official config items ## +storefile=$(get_config idp.sealer.storeResource) +versionfile=$(get_config idp.sealer.versionResource) +storepass=$(get_config idp.sealer.storePassword) +alias=$(get_config idp.sealer.aliasBase secret) +## Extended config items ## +count=$(get_config idp.sealer._count 30) +# default cannot be empty - so "self" is the default (self is skipped for syncing) +sync_hosts=$(get_config idp.sealer._sync_hosts ${HOSTNAME}) + +# Run the keygen utility +${0%/*}/runclass.sh net.shibboleth.utilities.java.support.security.BasicKeystoreKeyStrategyTool \ + --storefile "${storefile}" \ + --storepass "${storepass}" \ + --versionfile "${versionfile}" \ + --alias "${alias}" \ + --count "${count}" + +# Display current version +echo "INFO: $(tac "${versionfile}" | tr "\n" " ")" >&2 + +for EACH in ${sync_hosts} +do + if [ "${HOSTNAME}" == "${EACH}" ] + then + echo "INFO: Host '${EACH}' is myself - skipping" >&2 + elif ! ping -q -c 1 -W 3 ${EACH} >/dev/null 2>&1 + then + echo "ERROR: Host '${EACH}' not reachable - skipping" >&2 + else + # run scp in the background + scp "${storefile}" "${versionfile}" "${EACH}:${IDP_HOME}/credentials/" & + fi +done From e08e7007075b2276da520a57163b77d2f4b21e30 Mon Sep 17 00:00:00 2001 From: Paul Caskey Date: Thu, 25 Apr 2019 08:40:28 -0500 Subject: [PATCH 02/12] Update rotateSealerKey.sh --- container_files/idp/rotateSealerKey.sh | 9 ++++++++- 1 file changed, 8 insertions(+), 1 deletion(-) diff --git a/container_files/idp/rotateSealerKey.sh b/container_files/idp/rotateSealerKey.sh index 5939eca..07f789b 100644 --- a/container_files/idp/rotateSealerKey.sh +++ b/container_files/idp/rotateSealerKey.sh @@ -9,7 +9,14 @@ then echo "ERROR: Directory does not exist: ${IDP_HOME}" >&2 exit 1 fi - + +# Default JAVA_HOME if not already set +if [ ! -d "${JAVA_HOME:=/usr}" ] +then + echo "ERROR: JAVA_HOME Directory does not exist: ${JAVA_HOME}" >&2 + exit 1 +fi + function get_config { # Key to lookup (escape . for regex lookup) local KEY=${1:?"No key provided to look up value"} From fe272b84f1a476fd5226774a879acb1c67934374 Mon Sep 17 00:00:00 2001 From: Paul Caskey Date: Thu, 25 Apr 2019 08:45:25 -0500 Subject: [PATCH 03/12] Update rotateSealerKey.sh --- container_files/idp/rotateSealerKey.sh | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/container_files/idp/rotateSealerKey.sh b/container_files/idp/rotateSealerKey.sh index 07f789b..a311961 100644 --- a/container_files/idp/rotateSealerKey.sh +++ b/container_files/idp/rotateSealerKey.sh @@ -11,9 +11,11 @@ then fi # Default JAVA_HOME if not already set -if [ ! -d "${JAVA_HOME:=/usr}" ] +if [ -d "${JAVA_HOME:=/usr}" ] then - echo "ERROR: JAVA_HOME Directory does not exist: ${JAVA_HOME}" >&2 + export JAVA_HOME=${JAVA_HOME:=/usr} +else + echo "ERROR: JAVA_HOME Directory does not exist: ${JAVA_HOME:=/usr}" >&2 exit 1 fi From a30d5c95341cbeaac12a734da558d952cbcbca00 Mon Sep 17 00:00:00 2001 From: Paul Caskey Date: Thu, 25 Apr 2019 08:48:52 -0500 Subject: [PATCH 04/12] Update Dockerfile --- Dockerfile | 1 + 1 file changed, 1 insertion(+) diff --git a/Dockerfile b/Dockerfile index 3ae3fc2..2d2368d 100644 --- a/Dockerfile +++ b/Dockerfile @@ -159,6 +159,7 @@ ADD container_files/tomcat/robots.txt /usr/local/tomcat/webapps/ROOT ADD container_files/tomcat/keystore.jks /opt/certs/ # Copy TIER helper scripts +ADD container_files/idp/rotateSealerKey.sh /opt/shibboleth-idp/bin/ && chmod +x /opt/shibboleth-idp/bin/rotateSealerKey.sh ADD container_files/system/startup.sh /usr/bin/ ADD container_files/bin/setenv.sh /opt/tier/setenv.sh ADD container_files/bin/setupcron.sh /usr/bin/setupcron.sh From 460c7de55af4f7ec7a2059ec03bc97dcc9fee0b6 Mon Sep 17 00:00:00 2001 From: Paul Caskey Date: Thu, 25 Apr 2019 08:56:34 -0500 Subject: [PATCH 05/12] Update setupcron.sh --- container_files/bin/setupcron.sh | 2 ++ 1 file changed, 2 insertions(+) diff --git a/container_files/bin/setupcron.sh b/container_files/bin/setupcron.sh index ee1ec96..2061672 100644 --- a/container_files/bin/setupcron.sh +++ b/container_files/bin/setupcron.sh @@ -8,6 +8,8 @@ CRONFILE=/opt/tier/tier-cron #build crontab file with random start time between midnight and 3:59am echo "#send daily beacon to TIER Central" > ${CRONFILE} echo $(expr $RANDOM % 59) $(expr $RANDOM % 3) "* * * /usr/bin/sendtierbeacon.sh >> /var/log/cron.log 2>&1" >> ${CRONFILE} +echo "#rotate IdP data sealer key" > ${CRONFILE} +echo "0 1 * * * /opt/shibboleth-idp/bin/rotateSealerKey.sh >> /var/log/cron.log 2>&1" >> ${CRONFILE} chmod 644 ${CRONFILE} #install crontab From 46c9d0022ab91d2700f437139fda69107a356124 Mon Sep 17 00:00:00 2001 From: Paul Caskey Date: Thu, 25 Apr 2019 09:24:11 -0500 Subject: [PATCH 06/12] Update Dockerfile --- Dockerfile | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 2d2368d..02f4a8a 100644 --- a/Dockerfile +++ b/Dockerfile @@ -159,7 +159,7 @@ ADD container_files/tomcat/robots.txt /usr/local/tomcat/webapps/ROOT ADD container_files/tomcat/keystore.jks /opt/certs/ # Copy TIER helper scripts -ADD container_files/idp/rotateSealerKey.sh /opt/shibboleth-idp/bin/ && chmod +x /opt/shibboleth-idp/bin/rotateSealerKey.sh +ADD container_files/idp/rotateSealerKey.sh /opt/shibboleth-idp/bin/rotateSealerKey.sh && chmod +x /opt/shibboleth-idp/bin/rotateSealerKey.sh ADD container_files/system/startup.sh /usr/bin/ ADD container_files/bin/setenv.sh /opt/tier/setenv.sh ADD container_files/bin/setupcron.sh /usr/bin/setupcron.sh From 0fd30869418abc9b5bf73be8d34e4c0586244e4b Mon Sep 17 00:00:00 2001 From: Paul Caskey Date: Thu, 25 Apr 2019 09:30:01 -0500 Subject: [PATCH 07/12] Update Dockerfile --- Dockerfile | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index 02f4a8a..bbe30f1 100644 --- a/Dockerfile +++ b/Dockerfile @@ -159,7 +159,8 @@ ADD container_files/tomcat/robots.txt /usr/local/tomcat/webapps/ROOT ADD container_files/tomcat/keystore.jks /opt/certs/ # Copy TIER helper scripts -ADD container_files/idp/rotateSealerKey.sh /opt/shibboleth-idp/bin/rotateSealerKey.sh && chmod +x /opt/shibboleth-idp/bin/rotateSealerKey.sh +ADD container_files/idp/rotateSealerKey.sh /opt/shibboleth-idp/bin/rotateSealerKey.sh +RUN chmod +x /opt/shibboleth-idp/bin/rotateSealerKey.sh ADD container_files/system/startup.sh /usr/bin/ ADD container_files/bin/setenv.sh /opt/tier/setenv.sh ADD container_files/bin/setupcron.sh /usr/bin/setupcron.sh From 366de0ae3764a19ef65262092550d8fc83156dbb Mon Sep 17 00:00:00 2001 From: Paul Caskey Date: Thu, 25 Apr 2019 09:50:04 -0500 Subject: [PATCH 08/12] Update setupcron.sh --- container_files/bin/setupcron.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/container_files/bin/setupcron.sh b/container_files/bin/setupcron.sh index 2061672..8612b09 100644 --- a/container_files/bin/setupcron.sh +++ b/container_files/bin/setupcron.sh @@ -8,7 +8,7 @@ CRONFILE=/opt/tier/tier-cron #build crontab file with random start time between midnight and 3:59am echo "#send daily beacon to TIER Central" > ${CRONFILE} echo $(expr $RANDOM % 59) $(expr $RANDOM % 3) "* * * /usr/bin/sendtierbeacon.sh >> /var/log/cron.log 2>&1" >> ${CRONFILE} -echo "#rotate IdP data sealer key" > ${CRONFILE} +echo "#rotate IdP data sealer key" >> ${CRONFILE} echo "0 1 * * * /opt/shibboleth-idp/bin/rotateSealerKey.sh >> /var/log/cron.log 2>&1" >> ${CRONFILE} chmod 644 ${CRONFILE} From 8885533885f153842c9dfdb1255abdc4da64dfac Mon Sep 17 00:00:00 2001 From: Paul Caskey Date: Thu, 25 Apr 2019 14:45:35 -0500 Subject: [PATCH 09/12] Update rotateSealerKey.sh --- container_files/idp/rotateSealerKey.sh | 61 ++++++++++++++------------ 1 file changed, 33 insertions(+), 28 deletions(-) diff --git a/container_files/idp/rotateSealerKey.sh b/container_files/idp/rotateSealerKey.sh index a311961..0d5f7fe 100644 --- a/container_files/idp/rotateSealerKey.sh +++ b/container_files/idp/rotateSealerKey.sh @@ -2,24 +2,27 @@ set -e set -u - -# Default IDP_HOME if not already set -if [ ! -d "${IDP_HOME:=/opt/shibboleth-idp}" ] + +if [ ${ENABLE_SEALER_KEY_ROTATION:=True} -eq 'True' ] then + + # Default IDP_HOME if not already set + if [ ! -d "${IDP_HOME:=/opt/shibboleth-idp}" ] + then echo "ERROR: Directory does not exist: ${IDP_HOME}" >&2 exit 1 -fi + fi -# Default JAVA_HOME if not already set -if [ -d "${JAVA_HOME:=/usr}" ] -then + # Default JAVA_HOME if not already set + if [ -d "${JAVA_HOME:=/usr}" ] + then export JAVA_HOME=${JAVA_HOME:=/usr} -else + else echo "ERROR: JAVA_HOME Directory does not exist: ${JAVA_HOME:=/usr}" >&2 exit 1 -fi + fi -function get_config { + function get_config { # Key to lookup (escape . for regex lookup) local KEY=${1:?"No key provided to look up value"} # Passed default value @@ -28,32 +31,32 @@ function get_config { local RESULT=$(sed -rn '/^'"${KEY//./\\.}"'\s*=/ { s|^[^=]*=(.*)\s*$|\1|; s|%\{idp\.home\}|'"${IDP_HOME}"'|g; p}' ${IDP_HOME}/conf/idp.properties) # Set if no result with default - exit if no default echo ${RESULT:-${DEFAULT:?"No value in config and no default defined for: '${KEY}'"}} -} + } -# Get config values -## Official config items ## -storefile=$(get_config idp.sealer.storeResource) -versionfile=$(get_config idp.sealer.versionResource) -storepass=$(get_config idp.sealer.storePassword) -alias=$(get_config idp.sealer.aliasBase secret) -## Extended config items ## -count=$(get_config idp.sealer._count 30) -# default cannot be empty - so "self" is the default (self is skipped for syncing) -sync_hosts=$(get_config idp.sealer._sync_hosts ${HOSTNAME}) + # Get config values + ## Official config items ## + storefile=$(get_config idp.sealer.storeResource) + versionfile=$(get_config idp.sealer.versionResource) + storepass=$(get_config idp.sealer.storePassword) + alias=$(get_config idp.sealer.aliasBase secret) + ## Extended config items ## + count=$(get_config idp.sealer._count 30) + # default cannot be empty - so "self" is the default (self is skipped for syncing) + sync_hosts=$(get_config idp.sealer._sync_hosts ${HOSTNAME}) -# Run the keygen utility -${0%/*}/runclass.sh net.shibboleth.utilities.java.support.security.BasicKeystoreKeyStrategyTool \ + # Run the keygen utility + ${0%/*}/runclass.sh net.shibboleth.utilities.java.support.security.BasicKeystoreKeyStrategyTool \ --storefile "${storefile}" \ --storepass "${storepass}" \ --versionfile "${versionfile}" \ --alias "${alias}" \ --count "${count}" -# Display current version -echo "INFO: $(tac "${versionfile}" | tr "\n" " ")" >&2 + # Display current version + echo "INFO: $(tac "${versionfile}" | tr "\n" " ")" >&2 -for EACH in ${sync_hosts} -do + for EACH in ${sync_hosts} + do if [ "${HOSTNAME}" == "${EACH}" ] then echo "INFO: Host '${EACH}' is myself - skipping" >&2 @@ -64,4 +67,6 @@ do # run scp in the background scp "${storefile}" "${versionfile}" "${EACH}:${IDP_HOME}/credentials/" & fi -done + done + +fi From 422c9647444c22c6ea0fca5d93282ffab6f517aa Mon Sep 17 00:00:00 2001 From: Paul Caskey Date: Thu, 25 Apr 2019 14:45:44 -0500 Subject: [PATCH 10/12] Update Dockerfile --- Dockerfile | 6 +++++- 1 file changed, 5 insertions(+), 1 deletion(-) diff --git a/Dockerfile b/Dockerfile index bbe30f1..1bfa482 100644 --- a/Dockerfile +++ b/Dockerfile @@ -10,7 +10,7 @@ ENV TOMCAT_MAJOR=9 \ ##shib-idp \ VERSION=3.4.3 \ ##TIER \ - TIERVERSION=20190201 \ + TIERVERSION=20190401 \ ################## \ ### OTHER VARS ### \ ################## \ @@ -32,6 +32,10 @@ ENV TOMCAT_TGZ_URL=https://www.apache.org/dist/tomcat/tomcat-$TOMCAT_MAJOR/v$TOM ENV ENV=dev \ USERTOKEN=nothing +#The environment variable below controls whether or not the IdP's data sealer is automatically rotated daily. +# Set to False if you supply this file dynamically via secrets (or some other similar mechanism). +ENV ENABLE_SEALER_KEY_ROTATION=True + #set labels LABEL Vendor="Internet2" \ ImageType="Shibboleth IDP Release" \ From 55558b6c7dafbe60a1a744f3dfc871451e50c27e Mon Sep 17 00:00:00 2001 From: Paul Caskey Date: Thu, 25 Apr 2019 15:27:31 -0500 Subject: [PATCH 11/12] Update rotateSealerKey.sh --- container_files/idp/rotateSealerKey.sh | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/container_files/idp/rotateSealerKey.sh b/container_files/idp/rotateSealerKey.sh index 0d5f7fe..25df465 100644 --- a/container_files/idp/rotateSealerKey.sh +++ b/container_files/idp/rotateSealerKey.sh @@ -3,7 +3,7 @@ set -e set -u -if [ ${ENABLE_SEALER_KEY_ROTATION:=True} -eq 'True' ] +if [ ${ENABLE_SEALER_KEY_ROTATION:=True} = 'True' ] then # Default IDP_HOME if not already set From 681aa80e4bac45fea7e73e3cb82b96a8526ed67f Mon Sep 17 00:00:00 2001 From: Paul Caskey Date: Thu, 2 May 2019 14:52:25 +0000 Subject: [PATCH 12/12] bump Shibb IdP to 3.4.4 --- Dockerfile | 4 ++-- container_files/idp/idp.installer.properties | 2 +- test-compose/idp/Dockerfile | 3 ++- 3 files changed, 5 insertions(+), 4 deletions(-) diff --git a/Dockerfile b/Dockerfile index 1bfa482..391a9ff 100644 --- a/Dockerfile +++ b/Dockerfile @@ -8,9 +8,9 @@ FROM centos:centos7 ENV TOMCAT_MAJOR=9 \ TOMCAT_VERSION=9.0.19 \ ##shib-idp \ - VERSION=3.4.3 \ + VERSION=3.4.4 \ ##TIER \ - TIERVERSION=20190401 \ + TIERVERSION=20190502 \ ################## \ ### OTHER VARS ### \ ################## \ diff --git a/container_files/idp/idp.installer.properties b/container_files/idp/idp.installer.properties index 321a842..b02bae0 100644 --- a/container_files/idp/idp.installer.properties +++ b/container_files/idp/idp.installer.properties @@ -1,4 +1,4 @@ -idp.src.dir=/tmp/shibboleth/shibboleth-identity-provider-3.4.3 +idp.src.dir=/tmp/shibboleth/shibboleth-identity-provider-3.4.4 idp.target.dir=/opt/shibboleth-idp idp.host.name=idp.example.org idp.sealer.password=changeit diff --git a/test-compose/idp/Dockerfile b/test-compose/idp/Dockerfile index fa8ed18..513790d 100644 --- a/test-compose/idp/Dockerfile +++ b/test-compose/idp/Dockerfile @@ -1,4 +1,5 @@ -FROM tier/shib-idp:3.4.2_181201 +FROM tier/shib-idp:latest +#FROM tier/shib-idp:3.4.4_20190502 # The build args below can be used at build-time to tell the build process where to find your config files. This is for a completely burned-in config. ARG TOMCFG=config/tomcat