Skip to content

Commit

Permalink
Browse files Browse the repository at this point in the history
Loading status checks…
Merge pull request #129 from docker/latest5 
merge to latest 5, Rocky 8, MA
@pcaskey
pcaskey committed Dec 18, 2023
2 parents 124299f + 0466361 commit db932cd
Showing 11 changed files with 284 additions and 169 deletions.
3 changes: 3 additions & 0 deletions .trivyignore
View file
@@ -0,0 +1,3 @@
# Accept the risk
CVE-2016-1000027

61 changes: 28 additions & 33 deletions Dockerfile
View file
@@ -1,16 +1,16 @@
FROM centos:centos7
FROM --platform=$TARGETPLATFORM rockylinux:8.8

########################
### VERSION SETTINGS ###
########################
#
##tomcat \
ENV TOMCAT_MAJOR=10 \
TOMCAT_VERSION=10.1.13 \
TOMCAT_VERSION=10.1.17 \
##shib-idp \
VERSION=5.0.0 \
##TIER \
TIERVERSION=20230914 \
TIERVERSION=20231218_rocky8_multiarch \
#################### \
#### OTHER VARS #### \
#################### \
@@ -39,7 +39,7 @@ ENV ENABLE_SEALER_KEY_ROTATION=True
LABEL Vendor="Internet2" \
ImageType="Shibboleth IDP Release" \
ImageName=$imagename \
ImageOS=centos7 \
ImageOS=RockyLinux8 \
Version=$VERSION

#########################
@@ -52,7 +52,7 @@ RUN ln -sf /usr/share/zoneinfo/UTC /etc/localtime \

# Install base deps
RUN rm -fr /var/cache/yum/* && yum clean all && yum -y update && yum -y install --setopt=tsflags=nodocs epel-release && \
yum -y install net-tools wget curl tar unzip mlocate logrotate strace telnet man unzip vim wget rsyslog cronie krb5-workstation openssl-devel wget supervisor fontconfig && \
yum -y install net-tools wget curl tar unzip mlocate logrotate strace telnet man unzip vim rsyslog cronie krb5-workstation openssl-devel supervisor fontconfig findutils && \
yum -y clean all && \
mkdir -p /opt/tier && \
# Install Trusted Certificates
@@ -69,16 +69,11 @@ RUN update-ca-trust extract
# To keep it commented, keep multiple comments on the following line (to prevent other scripts from processing it).
##### ENV TIER_BEACON_OPT_OUT True

# Install Corretto Java JDK
#Corretto download page: https://docs.aws.amazon.com/corretto/latest/corretto-17-ug/downloads-list.html
ARG CORRETTO_URL_PERM=https://corretto.aws/downloads/latest/amazon-corretto-17-x64-linux-jdk.rpm
ARG CORRETTO_RPM=amazon-corretto-17-x64-linux-jdk.rpm
COPY container_files/java-corretto/corretto-signing-key.pub .
RUN curl -O -L $CORRETTO_URL_PERM \
&& rpm --import corretto-signing-key.pub \
&& rpm -K $CORRETTO_RPM \
&& rpm -i $CORRETTO_RPM \
&& rm -r corretto-signing-key.pub $CORRETTO_RPM

# Install Corretto Java JDK (from Amazon repo, more arch independent)
RUN rpm --import https://yum.corretto.aws/corretto.key \
&& curl -L -o /etc/yum.repos.d/corretto.repo https://yum.corretto.aws/corretto.repo \
&& yum install -y java-17-amazon-corretto-devel
ENV JAVA_HOME=/usr/lib/jvm/java-17-amazon-corretto

# Copy IdP installer properties file(s)
@@ -98,27 +93,28 @@ RUN mkdir -p /tmp/shibboleth && cd /tmp/shibboleth && \
# Install
cd /tmp/shibboleth/$SHIB_PREFIX && \
./bin/install.sh \
--propertyFile /tmp/idp.installer.properties \
--noPrompt true \
--propertyFile /tmp/idp.installer.properties && \

# Cleanup
cd ~ && \
rm -rf /tmp/shibboleth

# Install tomcat
RUN mkdir -p "$CATALINA_HOME" && set -x \
&& wget -q -O $CATALINA_HOME/tomcat.tar.gz "$TOMCAT_TGZ_URL" \
&& wget -q -O $CATALINA_HOME/tomcat.tar.gz.asc "$TOMCAT_TGZ_URL.asc" \
&& wget -q -O $CATALINA_HOME/KEYS "https://www.apache.org/dist/tomcat/tomcat-$TOMCAT_MAJOR/KEYS" \
&& gpg --import $CATALINA_HOME/KEYS \
&& gpg $CATALINA_HOME/tomcat.tar.gz.asc \
&& curl -s -o $CATALINA_HOME/tomcat.tar.gz "$TOMCAT_TGZ_URL" \
&& curl -s -o $CATALINA_HOME/tomcat.tar.gz.asc "$TOMCAT_TGZ_URL.asc" \
&& curl -s -L -o $CATALINA_HOME/KEYS "https://www.apache.org/dist/tomcat/tomcat-$TOMCAT_MAJOR/KEYS" \
&& gpg --import $CATALINA_HOME/KEYS \
&& gpg $CATALINA_HOME/tomcat.tar.gz.asc \
&& gpg --batch --verify $CATALINA_HOME/tomcat.tar.gz.asc $CATALINA_HOME/tomcat.tar.gz \
&& tar -xvf $CATALINA_HOME/tomcat.tar.gz -C $CATALINA_HOME --strip-components=1 \
&& rm $CATALINA_HOME/bin/*.bat \
&& rm $CATALINA_HOME/tomcat.tar.gz* \
&& mkdir -p $CATALINA_HOME/conf/Catalina \
&& rm -rf /usr/local/tomcat/webapps/* \
&& ln -s /opt/shibboleth-idp/war/idp.war $CATALINA_HOME/webapps/idp.war
&& rm $CATALINA_HOME/tomcat.tar.gz*
RUN mkdir -p $CATALINA_HOME/conf/Catalina \
&& rm -rf /usr/local/tomcat/webapps/* \
&& ln -s /opt/shibboleth-idp/war/idp.war $CATALINA_HOME/webapps/idp.war

ADD container_files/idp/idp.xml /usr/local/tomcat/conf/Catalina/idp.xml
ADD container_files/tomcat/server.xml /usr/local/tomcat/conf/server.xml

@@ -129,20 +125,16 @@ ADD container_files/tomcat/jakarta.servlet.jsp.jstl-2.0.0.jar /usr/local/tomcat/
ADD container_files/tomcat/jakarta.servlet.jsp.jstl-api-2.0.0.jar /usr/local/tomcat/lib/

#use log4j for tomcat logging
#ADD https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.17.2/log4j-core-2.17.2.jar /usr/local/tomcat/bin/
COPY container_files/tomcat/log4j-core-2.17.2.jar /usr/local/tomcat/bin/
#ADD https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api/2.17.2/log4j-api-2.17.2.jar /usr/local/tomcat/bin/
COPY container_files/tomcat/log4j-api-2.17.2.jar /usr/local/tomcat/bin/
#ADD https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-jul/2.17.2/log4j-jul-2.17.2.jar /usr/local/tomcat/bin/
COPY container_files/tomcat/log4j-jul-2.17.2.jar /usr/local/tomcat/bin/
ADD https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.18.0/log4j-core-2.18.0.jar /usr/local/tomcat/bin/
ADD https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api/2.18.0/log4j-api-2.18.0.jar /usr/local/tomcat/bin/
ADD https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-jul/2.18.0/log4j-jul-2.18.0.jar /usr/local/tomcat/bin/

RUN cd /usr/local/tomcat/; \
chmod +r bin/log4j-*.jar;
ADD container_files/tomcat/log4j2.xml /usr/local/tomcat/conf/
ADD container_files/tomcat/setenv.sh /usr/local/tomcat/bin/
RUN mkdir -p /usr/local/tomcat/webapps/ROOT
ADD container_files/tomcat/robots.txt /usr/local/tomcat/webapps/ROOT
#ADD container_files/tomcat/keystore.jks /opt/certs/
ADD container_files/tomcat/idp-default.key /opt/certs/
ADD container_files/tomcat/idp-default.crt /opt/certs/

@@ -170,6 +162,9 @@ RUN mkdir -p /etc/supervisor/conf.d && chmod +x /opt/tier/setenv.sh \
#set cron to not require a login session
RUN sed -i '/session required pam_loginuid.so/c\#session required pam_loginuid.so' /etc/pam.d/crond

#upgrade pip to remove sec vuln
#RUN pip3 install --upgrade pip

# Expose the port tomcat will be serving on
EXPOSE 443

277 changes: 183 additions & 94 deletions Jenkinsfile
View file
@@ -1,104 +1,192 @@
// Licensed to the University Corporation for Advanced Internet Development,
// Inc. (UCAID) under one or more contributor license agreements. See the
// NOTICE file distributed with this work for additional information regarding
// copyright ownership. The UCAID licenses this file to You under the Apache
// License, Version 2.0 (the "License"); you may not use this file except in
// compliance with the License. You may obtain a copy of the License at
//
// http://www.apache.org/licenses/LICENSE-2.0
//
// Unless required by applicable law or agreed to in writing, software
//distributed under the License is distributed on an "AS IS" BASIS,
// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
// See the License for the specific language governing permissions and
// limitations under the License.
//
node('docker') {

stage 'Checkout'
pipeline {
agent { node { label 'docker-multi-arch' } }
environment {
maintainer = "t"
imagename = 's'
tag = 'l'
DOCKERHUBPW=credentials('tieradmin-dockerhub-pw')

checkout scm

stage 'Acquire util files'

sh 'mkdir -p tmp && mkdir -p bin'
dir('tmp'){
git([ url: "https://github.internet2.edu/docker/util.git",
credentialsId: "jenkins-github-access-token" ])
sh 'rm -rf ../bin/*'
sh 'mv ./bin/* ../bin/.'
}
sh 'rm -rf tmp'

stage 'Setting build context'

def maintainer = maintainer()
def previous_maintainer = previous_maintainer()
def imagename = imagename()
def tag

// Tag images created on master branch with 'latest'
if(env.BRANCH_NAME == "master"){
tag = "latest"
}else{
tag = env.BRANCH_NAME
}

if(!imagename){
echo "You must define an imagename in common.bash"
currentBuild.result = 'FAILURE'
}
if(maintainer){
echo "Building ${imagename}:${tag} for ${maintainer}"
}

stage 'Build'

try{
sh 'bin/rebuild.sh &> debug'
} catch(error) {
def error_details = readFile('./debug');
def message = "BUILD ERROR: There was a problem building ${imagename}:${tag}. \n\n ${error_details}"
sh "rm -f ./debug"
handleError(message)
stages {
stage('Setting build context') {
steps {
script {
maintainer = maintain()
imagename = imagename()
if(env.BRANCH_NAME == "master") {
tag = "latest"
} else {
tag = env.BRANCH_NAME
}
if(!imagename){
echo "You must define an imagename in common.bash"
currentBuild.result = 'FAILURE'
}
sh 'mkdir -p tmp && mkdir -p bin'
dir('tmp'){
git([ url: "https://github.internet2.edu/docker/util.git", credentialsId: "jenkins-github-access-token" ])
sh 'rm -rf ../bin/*'
sh 'mv ./bin/* ../bin/.'
}
// Build and test scripts expect that 'tag' is present in common.bash. This is necessary for both Jenkins and standalone testing.
// We don't care if there are more 'tag' assignments there. The latest one wins.
sh "echo >> common.bash ; echo \"tag=\\\"${tag}\\\"\" >> common.bash ; echo common.bash ; cat common.bash"
}
}
}
stage('Clean') {
steps {
script {
try{
sh 'bin/destroy.sh >> debug'
} catch(error) {
def error_details = readFile('./debug');
def message = "BUILD ERROR: There was a problem building the Base Image. \n\n ${error_details}"
sh "rm -f ./debug"
handleError(message)
}
}
}
}
stage('Build') {
steps {
script {
try{
sh 'docker login -u tieradmin -p $DOCKERHUBPW'
// fails if already exists
// sh 'docker buildx create --use --name multiarch --append'
sh 'docker buildx inspect --bootstrap'
sh 'docker buildx ls'
sh "docker buildx build --platform linux/amd64 -t ${imagename}_${tag} --load ."
sh "docker buildx build --platform linux/arm64 -t ${imagename}_${tag}:arm64 --load ."
} catch(error) {
def error_details = readFile('./debug');
def message = "BUILD ERROR: There was a problem building ${maintainer}/${imagename}:${tag}. \n\n ${error_details}"
sh "rm -f ./debug"
handleError(message)
}
}
}
}
stage('Test') {
steps {
script {
try {
echo "Starting tests..."
sh 'bats tests'
// echo "Skipping tests for now"
} catch (error) {
def error_details = readFile('./debug')
def message = "BUILD ERROR: There was a problem testing ${maintainer}/${imagename}:${tag}. \n\n ${error_details}"
sh "rm -f ./debug"
handleError(message)
}
}
}
}
stage('Scan') {
steps {
script {
try {
echo "Starting security scan..."
// Install trivy and HTML template
sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.31.1'
sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/html.tpl > html.tpl'

// Scan container for all vulnerability levels
echo "Scanning for all vulnerabilities..."
sh 'mkdir -p reports'
// 2 commented scans below are OS-only, in case timeout issues occur
sh "trivy image --timeout 10m --ignore-unfixed --vuln-type os,library --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan.html ${imagename}_${tag}"
// sh "trivy image --ignore-unfixed --vuln-type os --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan.html ${imagename}_${tag}"
sh "trivy image --timeout 10m --ignore-unfixed --vuln-type os,library --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan-arm.html ${imagename}_${tag}:arm64"
// sh "trivy image --ignore-unfixed --vuln-type os --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan-arm.html ${imagename}_${tag}:arm64"
publishHTML target : [
allowMissing: true,
alwaysLinkToLastBuild: true,
keepAll: true,
reportDir: 'reports',
reportFiles: 'container-scan.html',
reportName: 'Security Scan',
reportTitles: 'Security Scan'
]
publishHTML target : [
allowMissing: true,
alwaysLinkToLastBuild: true,
keepAll: true,
reportDir: 'reports',
reportFiles: 'container-scan-arm.html',
reportName: 'Security Scan (ARM)',
reportTitles: 'Security Scan (ARM)'
]
// Scan again and fail on CRITICAL vulns
//below can be temporarily commented to prevent build from failing
echo "Scanning for CRITICAL vulnerabilities only (fatal)..."
// 2 scans below are temp (os scan only, no lib scan), while timeout issues are worked
// sh "trivy image --ignore-unfixed --vuln-type os,library --exit-code 1 --severity CRITICAL ${imagename}_${tag}"
// sh "trivy image --ignore-unfixed --vuln-type os,library --exit-code 1 --severity CRITICAL ${imagename}_${tag}:arm64"
sh "trivy image --ignore-unfixed --vuln-type os --exit-code 1 --severity CRITICAL ${imagename}_${tag}"
sh "trivy image --ignore-unfixed --vuln-type os --exit-code 1 --severity CRITICAL ${imagename}_${tag}:arm64"
//echo "Skipping scan for CRITICAL vulnerabilities (temporary)..."
} catch(error) {
def error_details = readFile('./debug');
def message = "BUILD ERROR: There was a problem scanning ${imagename}:${tag}. \n\n ${error_details}"
sh "rm -f ./debug"
handleError(message)
}
}
}
}
stage('Push') {
steps {
script {
sh 'docker login -u tieradmin -p $DOCKERHUBPW'
// fails if already exists
// sh 'docker buildx create --use --name multiarch --append'
sh 'docker buildx inspect --bootstrap'
sh 'docker buildx ls'
echo "Pushing image to dockerhub..."
sh "docker buildx build --push --platform linux/arm64,linux/amd64 -t ${maintainer}/${imagename}:${tag} ."
}
}
}
stage('Cleanup') {
steps {
script {
try{
echo "Cleaning up artifacts from the build..."
sh 'tests/cleanup.sh'
} catch(error) {
def error_details = readFile('./debug');
def message = "BUILD ERROR: There was a problem with cleanup of the image. \n\n ${error_details}"
sh "rm -f ./debug"
handleError(message)
}
}
}
}
stage('Notify') {
steps{
echo "$maintainer"
slackSend color: 'good', message: "$maintainer/$imagename:$tag pushed to DockerHub"
}
}
}

stage 'Test'

try {
sh 'bin/test.sh 2>&1 | tee debug ; test ${PIPESTATUS[0]} -eq 0'
} catch (error) {
def error_details = readFile('./debug')
def message = "BUILD ERROR: There was a problem testing ${imagename}:${tag}. \n\n ${error_details}"
sh "rm -f ./debug"
handleError(message)
}

stage 'Push'

docker.withRegistry('https://registry.hub.docker.com/', "dockerhub-$previous_maintainer") {
def baseImg = docker.build("$maintainer/$imagename")
baseImg.push("$tag")
post {
always {
echo 'Done Building.'
}
failure {
// slackSend color: 'good', message: "Build failed"
handleError("BUILD ERROR: There was a problem building ${maintainer}/${imagename}:${tag}.")
}
}

docker.withRegistry('https://registry.hub.docker.com/', "dockerhub-$previous_maintainer") {
def altImg = docker.build("$previous_maintainer/$imagename")
altImg.push("$tag")
}

stage 'Notify'

slackSend color: 'good', message: "$maintainer/$imagename:$tag pushed to DockerHub"

}

def maintainer() {
def matcher = readFile('common.bash') =~ 'maintainer="(.+)"'
matcher ? matcher[0][1] : 'i2incommon'
}

def previous_maintainer() {
def matcher = readFile('common.bash') =~ 'previous_maintainer="(.+)"'
def maintain() {
def matcher = readFile('common.bash') =~ 'maintainer="(.+)"'
matcher ? matcher[0][1] : 'tier'
}

@@ -110,7 +198,8 @@ def imagename() {
def handleError(String message){
echo "${message}"
currentBuild.setResult("FAILED")
slackSend color: 'danger', message: "${message} (<${env.BUILD_URL}|Open>)"
slackSend color: 'danger', message: "${message}"
//step([$class: 'Mailer', notifyEveryUnstableBuild: true, recipients: 'pcaskey@internet2.edu', sendToIndividuals: true])
sh 'exit 1'
}

Binary file removed container_files/tomcat/keystore.jks
View file
Binary file not shown.
2 changes: 1 addition & 1 deletion test-compose/idp/Dockerfile
View file
@@ -1,4 +1,4 @@
FROM i2incommon/shib-idp:latest
FROM i2incommon/shib-idp:latest5

# The build args below can be used at build-time to tell the build process where to find your config files. This is for a completely burned-in config.
ARG TOMCFG=config/tomcat
11 changes: 6 additions & 5 deletions test-compose/idp/container_files/config/tomcat/server.xml
View file
@@ -4,12 +4,12 @@
<Listener className="org.apache.catalina.core.JreMemoryLeakPreventionListener" />

<Service name="Catalina">

<Connector protocol="org.apache.coyote.http11.Http11NioProtocol"
port="443"
port="443"
maxThreads="200"
scheme="https"
secure="true"
secure="true"
SSLEnabled="true"
defaultSSLHostConfigName="IdP">
<SSLHostConfig hostName="IdP"
@@ -18,9 +18,10 @@
honorCipherOrder="false"
protocols="TLSv1.2,TLSv1.3">
<Certificate
certificateFile="/opt/certs/idp-default.crt"
certificateKeyFile="/opt/certs/idp-default.key" />
certificateFile="/opt/certs/idp-default.crt"
certificateKeyFile="/opt/certs/idp-default.key" />
</SSLHostConfig>
<!--<UpgradeProtocol className="org.apache.coyote.http2.Http2Protocol" />-->
</Connector>

<Engine name="Catalina" defaultHost="localhost">
10 changes: 10 additions & 0 deletions test-compose/webisoget/Dockerfile
View file
@@ -0,0 +1,10 @@
FROM rockylinux:8.6

RUN yum -y install libtool autoconf automake gcc make libcurl-devel openssl-devel git

RUN cd /; git clone https://github.com/UWIT-IAM/webisoget; cd /webisoget; bash ./boot;./configure --disable-dependency-tracking;make;make install

COPY sptest.login /webisoget

#ENTRYPOINT ["usr/local/bin/webisoget"]
CMD ["tail", "-f", "/dev/null"]
3 changes: 3 additions & 0 deletions test-compose/webisoget/sptest.login
View file
@@ -0,0 +1,3 @@
name=; domain=idp.example.edu; j_username=kwhite; j_password=password;
name=shibboleth;
name=form1;submit_value=Continue;
19 changes: 19 additions & 0 deletions tests/cleanup.sh
View file
@@ -0,0 +1,19 @@
#!/bin/bash

. ./common.bash

result=$(docker ps -a | grep ${imagename}_${tag})
if [ ! -z "$result" ]; then
echo "removing existing containers"
docker rm -f $(docker ps -a | grep ${imagename}_${tag} | awk '{print $1}')
fi
docker rmi -f ${imagename}_${tag}

result2=$(docker ps -a | grep ${imagename}_${tag}:arm64)
if [ ! -z "$result2" ]; then
echo "removing existing containers"
docker rm -f $(docker ps -a | grep ${imagename}_${tag}:arm64 | awk '{print $1}')
fi
docker rmi -f ${imagename}_${tag}:arm64


45 changes: 22 additions & 23 deletions tests/fulltest.sh
View file
@@ -1,4 +1,7 @@
#!/bin/bash
echo "Starting fulltest.sh script..."

. ./common.bash

pushd test-compose &>/dev/null
echo "Launching fresh containers..."
@@ -12,38 +15,34 @@ sleep 60
pushd tests &>/dev/null
rm -f ./lastpage.txt

#ensure webisoget is installed
echo "ensuring that webisoget is installed..."
rpm -q webisoget &>/dev/null
if [ $? -ne '0' ]; then
echo "downloading webisoget rpm"
curl -s -L -o webisoget-2.8.7-1.x86_64.rpm https://github.internet2.edu/docker/util/blob/master/bin/webisoget-2.8.7-1.x86_64.rpm?raw=true
if [ -s webisoget-2.8.7-1.x86_64.rpm ]; then
echo "installing rpm..."
sudo rpm -ivh webisoget-2.8.7-1.x86_64.rpm
rm -f webisoget-2.8.7-1.x86_64.rpm
else
echo "can't get webisoget rpm..."
exit 1
fi
else
echo "webisoget already installed..."
fi

#ensure that name resolution is in place
ping -c 1 sptest.example.edu &>/dev/null
if [ $? -ne '0' ]; then
echo "adding hosts record for sp..."
echo '127.0.0.1 sptest.example.edu' | sudo tee -a /etc/hosts
echo "ERROR: You must set name resolution for the IdP test suite on this host for tests to completei (SP missing)"
exit 1
# echo "adding hosts record for sp..."
# echo '127.0.0.1 sptest.example.edu' | sudo tee -a /etc/hosts
fi
ping -c 1 idp.example.edu &>/dev/null
if [ $? -ne '0' ]; then
echo "adding hosts record for idp..."
echo '127.0.0.1 idp.example.edu' | sudo tee -a /etc/hosts
echo "ERROR: You must set name resolution for the IdP test suite on this host for tests to completei (IdP missing)"
exit 1
# echo "adding hosts record for idp..."
# echo '127.0.0.1 idp.example.edu' | sudo tee -a /etc/hosts
fi

# replace FROM line in IdP Dockerfile to newly-built local image
echo "Setting test suite to base from new IdP image: ${imagename}_${tag}"
sed -i "s*FROM i2incommon/shib-idp:latest5*FROM ${imagename}_${tag}*g" ../test-compose/idp/Dockerfile

echo "Attempting full-cycle test..."
webisoget -verbose -out ./lastpage.txt -formfile ./sptest.login -url https://sptest.example.edu:8443/secure/index.php

#build webisoget container
pushd ../test-compose/webisoget/ &>/dev/null
docker build -t webisoget .
popd &>/dev/null

docker run --net host -w /webisoget/ -i webisoget /bin/bash -c "rm -f lastpage.txt & webisoget -out ./lastpage.txt -maxhop 100 -timeout 120 -formfile /webisoget/sptest.login -url https://sptest.example.edu:8443/secure/index.php && cat lastpage.txt" > lastpage.txt

if [ -s ./lastpage.txt ]; then
cat lastpage.txt | grep kwhite@example.edu &>/dev/null
22 changes: 9 additions & 13 deletions tests/main.bats
View file
@@ -3,11 +3,11 @@
load ../common

@test "010 Image is present and healthy" {
docker image inspect ${maintainer}/${imagename}
docker image inspect ${imagename}_${tag}
}

@test "020 All key files are present" {
docker run --rm -i ${maintainer}/${imagename} \
docker run --rm -i ${imagename}_${tag} \
find \
/opt/shibboleth-idp/credentials/idp-encryption.crt \
/opt/shibboleth-idp/credentials/idp-encryption.key \
@@ -18,39 +18,35 @@ load ../common
}

@test "030 Port 443/https is listening" {
docker run -d ${maintainer}/${imagename}
docker run -d ${imagename}_${tag}
sleep 25
#get cont id
contid=$(docker ps | grep ${maintainer}/${imagename} | cut -f 1 -d ' ')
contid=$(docker ps | grep ${imagename}_${tag} | cut -f 1 -d ' ')
run docker exec -i ${contid} sh -c 'cat < /dev/null > /dev/tcp/127.0.0.1/443'
docker kill ${contid} &>/dev/null
docker rm ${contid} &>/dev/null
[ "$status" -eq 0 ]
}

@test "040 The IdP Status page is present" {
docker run -d ${maintainer}/${imagename}
docker run -d ${imagename}_${tag}
sleep 60
contid2=$(docker ps | grep ${maintainer}/${imagename} | cut -f 1 -d ' ')
contid2=$(docker ps | grep ${imagename}_${tag} | cut -f 1 -d ' ')
run docker exec -i ${contid2} sh -c 'curl -I -k -s -f https://127.0.0.1/idp/status'
docker kill ${contid2} &>/dev/null
docker rm ${contid2} &>/dev/null
[ "$status" -eq 0 ]
}

@test "050 The version of Tomcat is current" {
./tests/checktomcatver.sh ${maintainer}/${imagename}
./tests/checktomcatver.sh ${imagename}_${tag}
}

@test "060 The version of the IdP is current" {
./tests/checkidpver.sh ${maintainer}/${imagename}
./tests/checkidpver.sh ${imagename}_${tag}
}

@test "070 There are no known security vulnerabilities" {
./tests/clairscan.sh ${maintainer}/${imagename}:latest
}

@test "080 The IdP successfully completed a full-cycle test with an SP" {
@test "070 The IdP successfully completed a full-cycle test with an SP" {
./tests/fulltest.sh
}

0 comments on commit db932cd

Please sign in to comment.