diff --git a/Dockerfile b/Dockerfile index 0e6f83e..170f632 100644 --- a/Dockerfile +++ b/Dockerfile @@ -6,11 +6,11 @@ FROM centos:centos7 # ##tomcat \ ENV TOMCAT_MAJOR=9 \ - TOMCAT_VERSION=9.0.11 \ + TOMCAT_VERSION=9.0.12 \ ##shib-idp \ VERSION=3.3.3 \ ##TIER \ - TIERVERSION=180802 \ + TIERVERSION=181001 \ ################## \ ### OTHER VARS ### \ ################## \ @@ -231,5 +231,4 @@ EXPOSE 443 HEALTHCHECK --interval=2m --timeout=30s \ CMD curl -k -f https://127.0.0.1/idp/status || exit 1 - CMD ["/usr/bin/startup.sh"] diff --git a/Jenkinsfile b/Jenkinsfile index 0c04d9d..bb501f6 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -19,8 +19,8 @@ node('docker') { checkout scm - stage 'Acquire util' - + stage 'Acquire util files' + sh 'mkdir -p tmp && mkdir -p bin' dir('tmp'){ git([ url: "https://github.internet2.edu/docker/util.git", @@ -51,6 +51,7 @@ node('docker') { } stage 'Build' + try{ sh 'bin/rebuild.sh &> debug' } catch(error) { @@ -59,6 +60,17 @@ node('docker') { sh "rm -f ./debug" handleError(message) } + + stage 'Test' + + try { + sh 'bin/test.sh 2>&1 | tee debug ; test ${PIPESTATUS[0]} -eq 0' + } catch (error) { + def error_details = readFile('./debug') + def message = "BUILD ERROR: There was a problem testing ${imagename}:${tag}. \n\n ${error_details}" + sh "rm -f ./debug" + handleError(message) + } stage 'Push' @@ -68,7 +80,7 @@ node('docker') { } stage 'Notify' - + slackSend color: 'good', message: "$maintainer/$imagename:$tag pushed to DockerHub" } diff --git a/tests/checkidpver.sh b/tests/checkidpver.sh new file mode 100755 index 0000000..d9fea87 --- /dev/null +++ b/tests/checkidpver.sh @@ -0,0 +1,66 @@ +#!/bin/bash + +launchflag="no" +kill_launched_containers() { + if [ ${launchflag} == 'yes' ]; then + echo 'removing container...' + docker kill ${contid} &>/dev/null + docker rm ${contid} &>/dev/null + fi +} + +#determine whether to get running version from container or local instance +which docker &>/dev/null +if [ $? == '0' ]; then + if [ $# -lt '1' ]; then + echo "Docker detected, but no container name passed in... Terminating." + echo "" + exit 1 + fi + + #ensure container is running + docker ps | grep $1 &>/dev/null + if [ $? -ne '0' ]; then + docker run -d $1 &>/dev/null + launchflag="yes" + echo 'launching container (will take about a minute)...' + sleep 60 + fi + + #get container ID + export contid=$(docker ps | grep $1 | cut -f 1 -d ' ') + + if [ -z "$contid" ]; then + echo "Specified container does not appear to be running... Terminating." + echo "" + exit 1 + fi + + #get version from running status page inside container + export shibver=$(docker exec ${contid} /usr/bin/curl -k -s https://127.0.0.1/idp/status | grep idp_version | cut -f 2 -d ':' | xargs) +else + #get version from running status page on local install + export shibver=$(curl -k -s https://127.0.0.1/idp/status | grep idp_version | cut -f 2 -d ':' | xargs) +fi + +if [ -z "$(echo $shibver | xargs)" ]; then + echo "Unable to determine version from a running instance... Terminating." + echo "" + exit 1 +fi + +#check if that version is available in the 'latest' download area (return is 0 if current, non-zero if not current) +wget -q --spider https://shibboleth.net/downloads/identity-provider/latest/shibboleth-identity-provider-${shibver}.tar.gz + +if [ $? == '0' ]; then + echo "Running IdP version (${shibver}) is current!" + kill_launched_containers + echo "" + exit 0 +else + echo "Running IdP version (${shibver}) is NOT current." + kill_launched_containers + echo "" + exit 1 +fi + diff --git a/tests/checktomcatver.sh b/tests/checktomcatver.sh new file mode 100755 index 0000000..e2c1459 --- /dev/null +++ b/tests/checktomcatver.sh @@ -0,0 +1,67 @@ +#!/bin/bash + +launchflag="no" +kill_launched_containers() { + if [ ${launchflag} == 'yes' ]; then + echo 'removing container...' + docker kill ${contid} &>/dev/null + docker rm ${contid} &>/dev/null + fi +} + +#determine whether to get running version from container or local instance +which docker &>/dev/null +if [ $? == '0' ]; then + if [ $# -lt '1' ]; then + echo "Docker detected, but no container name passed in... Terminating." + echo "" + exit 1 + fi + + #ensure container is running + docker ps | grep $1 &>/dev/null + if [ $? -ne '0' ]; then + docker run -d $1 &>/dev/null + launchflag="yes" + echo 'launching container (will take several seconds)...' + sleep 30 + fi + + #get container ID + export contid=$(docker ps | grep $1 | cut -f 1 -d ' ') + + if [ -z "$contid" ]; then + echo "Specified container does not appear to be running... Terminating." + echo "" + exit 1 + fi + + #get version from running status page inside container + export tomcatver=$(docker exec ${contid} /usr/local/tomcat/bin/version.sh | grep "Server version" | cut -f 2 -d ':' | cut -f 2 -d '/') +else + echo "Local install of tomcat not supported by this script... Terminating." + echo "" + exit 1 +fi + +if [ -z "$(echo $tomcatver | xargs)" ]; then + echo "Unable to determine tomcat version from a running instance... Terminating." + echo "" + exit 1 +fi + +#check if that version of tomcat is available in the download area (return is 0 if current, non-zero if not current) +wget -q --spider http://apache.mirrors.ionfish.org/tomcat/tomcat-9/v${tomcatver}/bin/apache-tomcat-${tomcatver}.tar.gz + +if [ $? == '0' ]; then + echo "Running Tomcat version (${tomcatver}) is current!" + kill_launched_containers + echo "" + exit 0 +else + echo "Running Tomcat version (${tomcatver}) is NOT current." + kill_launched_containers + echo "" + exit 1 +fi + diff --git a/tests/main.bats b/tests/main.bats new file mode 100644 index 0000000..98690b5 --- /dev/null +++ b/tests/main.bats @@ -0,0 +1,65 @@ +#!/usr/bin/env bats + +load ../common + +@test "010 Image is present and healthy" { + docker image inspect ${maintainer}/${imagename}:${tag} +} + +@test "020 All key files are present" { + docker run --rm -i ${maintainer}/${imagename}:${tag} \ + find \ + /opt/shibboleth-idp/credentials/idp-encryption.crt \ + /opt/shibboleth-idp/credentials/idp-encryption.key \ + /opt/shibboleth-idp/credentials/idp-signing.crt \ + /opt/shibboleth-idp/credentials/idp-signing.key \ + /usr/local/tomcat/ \ + /usr/bin/java +} + +@test "030 Port 443/https is listening" { + docker run -d ${maintainer}/${imagename}:${tag} + sleep 25 + #get cont id + contid=$(docker ps | grep ${maintainer}/${imagename}:${tag} | cut -f 1 -d ' ') + run docker exec -i ${contid} sh -c 'cat < /dev/null > /dev/tcp/127.0.0.1/443' + docker kill ${contid} &>/dev/null + docker rm ${contid} &>/dev/null + [ "$status" -eq 0 ] +} + +@test "040 The IdP Status page is present" { + docker run -d ${maintainer}/${imagename}:${tag} + sleep 60 + contid2=$(docker ps | grep ${maintainer}/${imagename}:${tag} | cut -f 1 -d ' ') + run docker exec -i ${contid2} sh -c 'curl -I -k -s -f https://127.0.0.1/idp/status' + docker kill ${contid2} &>/dev/null + docker rm ${contid2} &>/dev/null + [ "$status" -eq 0 ] +} + +@test "050 The version of Tomcat is current" { + ./checktomcatver.sh ${maintainer}/${imagename}:${tag} +} + +@test "060 The version of the IdP is current" { + ./checkidpver.sh ${maintainer}/${imagename}:${tag} +} + +@test "070 There are no known security vulnerabilities" { + if [ ! -s ./clair-scanner ]; then + curl -L -o ./clair-scanner https://github.com/arminc/clair-scanner/releases/download/v8/clair-scanner_linux_amd64 + chmod 755 clair-scanner + fi + docker run -p 5432:5432 -d --name db arminc/clair-db:latest + sleep 15 + docker run -p 6060:6060 --link db:postgres -d --name clair arminc/clair-local-scan:v2.0.5 + sleep 30 + ./clair-scanner --ip 172.17.0.1 ${maintainer}/${imagename}:${tag} + docker kill clair + docker rm clair + docker kill db + docker rm db +} + +