diff --git a/.trivyignore b/.trivyignore new file mode 100644 index 0000000..5567c04 --- /dev/null +++ b/.trivyignore @@ -0,0 +1,3 @@ +# Accept the risk +CVE-2016-1000027 + diff --git a/Dockerfile b/Dockerfile index 80f903a..04d2955 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,16 +1,16 @@ -FROM centos:centos7 +FROM --platform=$TARGETPLATFORM rockylinux:8.8 ######################## ### VERSION SETTINGS ### ######################## # ##tomcat \ -ENV TOMCAT_MAJOR=9 \ - TOMCAT_VERSION=9.0.50 \ +ENV TOMCAT_MAJOR=10 \ + TOMCAT_VERSION=10.1.14 \ ##shib-idp \ - VERSION=4.1.4 \ + VERSION=5.0.0 \ ##TIER \ - TIERVERSION=20210802 \ + TIERVERSION=20231012_rocky8_multiarch \ #################### \ #### OTHER VARS #### \ #################### \ @@ -39,7 +39,7 @@ ENV ENABLE_SEALER_KEY_ROTATION=True LABEL Vendor="Internet2" \ ImageType="Shibboleth IDP Release" \ ImageName=$imagename \ - ImageOS=centos7 \ + ImageOS=RockyLinux8 \ Version=$VERSION ######################### @@ -52,7 +52,7 @@ RUN ln -sf /usr/share/zoneinfo/UTC /etc/localtime \ # Install base deps RUN rm -fr /var/cache/yum/* && yum clean all && yum -y update && yum -y install --setopt=tsflags=nodocs epel-release && \ - yum -y install net-tools wget curl tar unzip mlocate logrotate strace telnet man unzip vim wget rsyslog cronie krb5-workstation openssl-devel wget supervisor fontconfig && \ + yum -y install net-tools wget curl tar unzip mlocate logrotate strace telnet man unzip vim rsyslog cronie krb5-workstation openssl-devel supervisor fontconfig findutils && \ yum -y clean all && \ mkdir -p /opt/tier && \ # Install Trusted Certificates @@ -69,53 +69,11 @@ RUN update-ca-trust extract # To keep it commented, keep multiple comments on the following line (to prevent other scripts from processing it). ##### ENV TIER_BEACON_OPT_OUT True -# Install Corretto Java JDK -#Corretto download page: https://docs.aws.amazon.com/corretto/latest/corretto-11-ug/downloads-list.html -ARG CORRETTO_URL_PERM=https://corretto.aws/downloads/latest/amazon-corretto-11-x64-linux-jdk.rpm -ARG CORRETTO_RPM=amazon-corretto-11-x64-linux-jdk.rpm -COPY container_files/java-corretto/corretto-signing-key.pub . -RUN curl -O -L $CORRETTO_URL_PERM \ - && rpm --import corretto-signing-key.pub \ - && rpm -K $CORRETTO_RPM \ - && rpm -i $CORRETTO_RPM \ - && rm -r corretto-signing-key.pub $CORRETTO_RPM -ENV JAVA_HOME=/usr/lib/jvm/java-11-amazon-corretto - -# To use Zulu Java: -#RUN rpm --import http://repos.azulsystems.com/RPM-GPG-KEY-azulsystems \ -# && curl -o /etc/yum.repos.d/zulu.repo http://repos.azulsystems.com/rhel/zulu.repo \ -# && yum -y install zulu-8 && alternatives --install /usr/bin/java java $JAVA_HOME/bin/java 200000 -#install Zulu JCE -#RUN curl -o /tmp/ZuluJCEPolicies.zip https://cdn.azul.com/zcek/bin/ZuluJCEPolicies.zip \ -# && cd /tmp && unzip -oj ZuluJCEPolicies.zip ZuluJCEPolicies/local_policy.jar -d $JAVA_HOME/lib/jvm/zulu-8/jre/lib/security/ \ -# && unzip -oj ZuluJCEPolicies.zip ZuluJCEPolicies/US_export_policy.jar -d $JAVA_HOME/lib/jvm/zulu-8/jre/lib/security/ \ -# && rm -rf /tmp/ZuluJCEPolicies.zip -#ENV JAVA_HOME=/usr \ - -# To use Oracle java/JCE: -# -#ENV JAVA_VERSION=8u171 \ -# BUILD_VERSION=b11 \ -# JAVA_BUNDLE_ID=512cd62ec5174c3487ac17c61aaa89e8 \ -# -# Uncomment the following commands to download the Oracle JDK to your Shibboleth IDP image. -# ==> By uncommenting these next 6 lines, you agree to the Oracle Binary Code License Agreement for Java SE (http://www.oracle.com/technetwork/java/javase/terms/license/index.html) -# RUN wget -nv --no-cookies --no-check-certificate --header "Cookie: oraclelicense=accept-securebackup-cookie" "http://download.oracle.com/otn-pub/java/jdk/$JAVA_VERSION-$BUILD_VERSION/$JAVA_BUNDLE_ID/jdk-$JAVA_VERSION-linux-x64.rpm" -O /tmp/jdk-$JAVA_VERSION-$BUILD_VERSION-linux-x64.rpm && \ -# yum -y install /tmp/jdk-$JAVA_VERSION-$BUILD_VERSION-linux-x64.rpm && \ -# rm -f /tmp/jdk-$JAVA_VERSION-$BUILD_VERSION-linux-x64.rpm && \ -# alternatives --install /usr/bin/java jar $JAVA_HOME/bin/java 200000 && \ -# alternatives --install /usr/bin/javaws javaws $JAVA_HOME/bin/javaws 200000 && \ -# alternatives --install /usr/bin/javac javac $JAVA_HOME/bin/javac 200000 - -# For Oracle Java, also uncomment the following commands to download the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files. -# ==> By uncommenting these next 7 lines, you agree to the Oracle Binary Code License Agreement for Java SE Platform Products (http://www.oracle.com/technetwork/java/javase/terms/license/index.html) -# RUN wget --no-check-certificate --no-cookies --header "Cookie: oraclelicense=accept-securebackup-cookie" \ -# http://download.oracle.com/otn-pub/java/jce/8/jce_policy-8.zip \ -# && echo "f3020a3922efd6626c2fff45695d527f34a8020e938a49292561f18ad1320b59 jce_policy-8.zip" | sha256sum -c - \ -# && unzip -oj jce_policy-8.zip UnlimitedJCEPolicyJDK8/local_policy.jar -d $JAVA_HOME/jre/lib/security/ \ -# && unzip -oj jce_policy-8.zip UnlimitedJCEPolicyJDK8/US_export_policy.jar -d $JAVA_HOME/jre/lib/security/ \ -# && rm jce_policy-8.zip \ -# && chmod -R 640 $JAVA_HOME/jre/lib/security/ +# Install Corretto Java JDK (from Amazon repo, more arch independent) +RUN rpm --import https://yum.corretto.aws/corretto.key \ + && curl -L -o /etc/yum.repos.d/corretto.repo https://yum.corretto.aws/corretto.repo \ + && yum install -y java-17-amazon-corretto-devel +ENV JAVA_HOME=/usr/lib/jvm/java-17-amazon-corretto # Copy IdP installer properties file(s) ADD container_files/idp/idp.installer.properties container_files/idp/idp.merge.properties container_files/idp/ldap.merge.properties /tmp/ @@ -134,42 +92,54 @@ RUN mkdir -p /tmp/shibboleth && cd /tmp/shibboleth && \ # Install cd /tmp/shibboleth/$SHIB_PREFIX && \ ./bin/install.sh \ - -Didp.noprompt=true \ - -Didp.property.file=/tmp/idp.installer.properties && \ + --noPrompt true \ + --propertyFile /tmp/idp.installer.properties && \ # Cleanup cd ~ && \ rm -rf /tmp/shibboleth # Install tomcat RUN mkdir -p "$CATALINA_HOME" && set -x \ - && wget -q -O $CATALINA_HOME/tomcat.tar.gz "$TOMCAT_TGZ_URL" \ - && wget -q -O $CATALINA_HOME/tomcat.tar.gz.asc "$TOMCAT_TGZ_URL.asc" \ - && wget -q -O $CATALINA_HOME/KEYS "https://www.apache.org/dist/tomcat/tomcat-$TOMCAT_MAJOR/KEYS" \ - && gpg --import $CATALINA_HOME/KEYS \ - && gpg $CATALINA_HOME/tomcat.tar.gz.asc \ + && curl -s -o $CATALINA_HOME/tomcat.tar.gz "$TOMCAT_TGZ_URL" \ + && curl -s -o $CATALINA_HOME/tomcat.tar.gz.asc "$TOMCAT_TGZ_URL.asc" \ + && curl -s -L -o $CATALINA_HOME/KEYS "https://www.apache.org/dist/tomcat/tomcat-$TOMCAT_MAJOR/KEYS" \ + && gpg --import $CATALINA_HOME/KEYS \ + && gpg $CATALINA_HOME/tomcat.tar.gz.asc \ && gpg --batch --verify $CATALINA_HOME/tomcat.tar.gz.asc $CATALINA_HOME/tomcat.tar.gz \ && tar -xvf $CATALINA_HOME/tomcat.tar.gz -C $CATALINA_HOME --strip-components=1 \ && rm $CATALINA_HOME/bin/*.bat \ - && rm $CATALINA_HOME/tomcat.tar.gz* \ - && mkdir -p $CATALINA_HOME/conf/Catalina \ - && curl -o /usr/local/tomcat/lib/jstl1.2.jar https://build.shibboleth.net/nexus/service/local/repositories/thirdparty/content/javax/servlet/jstl/1.2/jstl-1.2.jar \ + && rm $CATALINA_HOME/tomcat.tar.gz* +RUN mkdir -p $CATALINA_HOME/conf/Catalina \ && rm -rf /usr/local/tomcat/webapps/* \ && ln -s /opt/shibboleth-idp/war/idp.war $CATALINA_HOME/webapps/idp.war - + ADD container_files/idp/idp.xml /usr/local/tomcat/conf/Catalina/idp.xml ADD container_files/tomcat/server.xml /usr/local/tomcat/conf/server.xml +# add JSTL support +## from https://repo1.maven.org/maven2/org/glassfish/web/jakarta.servlet.jsp.jstl/2.0.0/ +ADD container_files/tomcat/jakarta.servlet.jsp.jstl-2.0.0.jar /usr/local/tomcat/lib/ +## from https://repo1.maven.org/maven2/jakarta/servlet/jsp/jstl/jakarta.servlet.jsp.jstl-api/2.0.0/ +ADD container_files/tomcat/jakarta.servlet.jsp.jstl-api-2.0.0.jar /usr/local/tomcat/lib/ + #use log4j for tomcat logging -ADD https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.11.0/log4j-core-2.11.0.jar /usr/local/tomcat/bin/ -ADD https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api/2.11.0/log4j-api-2.11.0.jar /usr/local/tomcat/bin/ -ADD https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-jul/2.11.0/log4j-jul-2.11.0.jar /usr/local/tomcat/bin/ +ADD https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.18.0/log4j-core-2.18.0.jar /usr/local/tomcat/bin/ +ADD https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api/2.18.0/log4j-api-2.18.0.jar /usr/local/tomcat/bin/ +ADD https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-jul/2.18.0/log4j-jul-2.18.0.jar /usr/local/tomcat/bin/ RUN cd /usr/local/tomcat/; \ chmod +r bin/log4j-*.jar; ADD container_files/tomcat/log4j2.xml /usr/local/tomcat/conf/ ADD container_files/tomcat/setenv.sh /usr/local/tomcat/bin/ RUN mkdir -p /usr/local/tomcat/webapps/ROOT ADD container_files/tomcat/robots.txt /usr/local/tomcat/webapps/ROOT -ADD container_files/tomcat/keystore.jks /opt/certs/ +ADD container_files/tomcat/idp-default.key /opt/certs/ +ADD container_files/tomcat/idp-default.crt /opt/certs/ + +# install needed IdP plugins +ARG truststore="/opt/shibboleth-idp/credentials/PGP_KEYS" +ARG plugin_args="--noPrompt --noRebuild --truststore ${truststore}" +RUN /bin/curl -Lo ${truststore} https://shibboleth.net/downloads/PGP_KEYS && \ + /opt/shibboleth-idp/bin/plugin.sh ${plugin_args} -I net.shibboleth.idp.plugin.nashorn # Copy TIER helper scripts ADD container_files/idp/rotateSealerKey.sh /opt/shibboleth-idp/bin/rotateSealerKey.sh @@ -189,6 +159,9 @@ RUN mkdir -p /etc/supervisor/conf.d && chmod +x /opt/tier/setenv.sh \ #set cron to not require a login session RUN sed -i '/session required pam_loginuid.so/c\#session required pam_loginuid.so' /etc/pam.d/crond +#upgrade pip to remove sec vuln +#RUN pip3 install --upgrade pip + # Expose the port tomcat will be serving on EXPOSE 443 diff --git a/Jenkinsfile b/Jenkinsfile index 4ac70a4..afb1619 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -1,104 +1,192 @@ -// Licensed to the University Corporation for Advanced Internet Development, -// Inc. (UCAID) under one or more contributor license agreements. See the -// NOTICE file distributed with this work for additional information regarding -// copyright ownership. The UCAID licenses this file to You under the Apache -// License, Version 2.0 (the "License"); you may not use this file except in -// compliance with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -//distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. -// -node('docker') { - stage 'Checkout' +pipeline { + agent { node { label 'docker-multi-arch' } } + environment { + maintainer = "t" + imagename = 's' + tag = 'l' + DOCKERHUBPW=credentials('tieradmin-dockerhub-pw') - checkout scm - - stage 'Acquire util files' - - sh 'mkdir -p tmp && mkdir -p bin' - dir('tmp'){ - git([ url: "https://github.internet2.edu/docker/util.git", - credentialsId: "jenkins-github-access-token" ]) - sh 'rm -rf ../bin/*' - sh 'mv ./bin/* ../bin/.' - } - sh 'rm -rf tmp' - - stage 'Setting build context' - - def maintainer = maintainer() - def previous_maintainer = previous_maintainer() - def imagename = imagename() - def tag - - // Tag images created on master branch with 'latest' - if(env.BRANCH_NAME == "master"){ - tag = "latest" - }else{ - tag = env.BRANCH_NAME } - - if(!imagename){ - echo "You must define an imagename in common.bash" - currentBuild.result = 'FAILURE' - } - if(maintainer){ - echo "Building ${imagename}:${tag} for ${maintainer}" - } - - stage 'Build' - - try{ - sh 'bin/rebuild.sh &> debug' - } catch(error) { - def error_details = readFile('./debug'); - def message = "BUILD ERROR: There was a problem building ${imagename}:${tag}. \n\n ${error_details}" - sh "rm -f ./debug" - handleError(message) + stages { + stage('Setting build context') { + steps { + script { + maintainer = maintain() + imagename = imagename() + if(env.BRANCH_NAME == "master") { + tag = "latest" + } else { + tag = env.BRANCH_NAME + } + if(!imagename){ + echo "You must define an imagename in common.bash" + currentBuild.result = 'FAILURE' + } + sh 'mkdir -p tmp && mkdir -p bin' + dir('tmp'){ + git([ url: "https://github.internet2.edu/docker/util.git", credentialsId: "jenkins-github-access-token" ]) + sh 'rm -rf ../bin/*' + sh 'mv ./bin/* ../bin/.' + } + // Build and test scripts expect that 'tag' is present in common.bash. This is necessary for both Jenkins and standalone testing. + // We don't care if there are more 'tag' assignments there. The latest one wins. + sh "echo >> common.bash ; echo \"tag=\\\"${tag}\\\"\" >> common.bash ; echo common.bash ; cat common.bash" + } + } + } + stage('Clean') { + steps { + script { + try{ + sh 'bin/destroy.sh >> debug' + } catch(error) { + def error_details = readFile('./debug'); + def message = "BUILD ERROR: There was a problem building the Base Image. \n\n ${error_details}" + sh "rm -f ./debug" + handleError(message) + } + } + } + } + stage('Build') { + steps { + script { + try{ + sh 'docker login -u tieradmin -p $DOCKERHUBPW' + // fails if already exists + // sh 'docker buildx create --use --name multiarch --append' + sh 'docker buildx inspect --bootstrap' + sh 'docker buildx ls' + sh "docker buildx build --platform linux/amd64 -t ${imagename}_${tag} --load ." + sh "docker buildx build --platform linux/arm64 -t ${imagename}_${tag}:arm64 --load ." + } catch(error) { + def error_details = readFile('./debug'); + def message = "BUILD ERROR: There was a problem building ${maintainer}/${imagename}:${tag}. \n\n ${error_details}" + sh "rm -f ./debug" + handleError(message) + } + } + } + } + stage('Test') { + steps { + script { + try { + echo "Starting tests..." + sh 'bats tests' + // echo "Skipping tests for now" + } catch (error) { + def error_details = readFile('./debug') + def message = "BUILD ERROR: There was a problem testing ${maintainer}/${imagename}:${tag}. \n\n ${error_details}" + sh "rm -f ./debug" + handleError(message) + } + } + } + } + stage('Scan') { + steps { + script { + try { + echo "Starting security scan..." + // Install trivy and HTML template + sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.31.1' + sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/html.tpl > html.tpl' + + // Scan container for all vulnerability levels + echo "Scanning for all vulnerabilities..." + sh 'mkdir -p reports' + // 2 commented scans below are OS-only, in case timeout issues occur + sh "trivy image --timeout 10m --ignore-unfixed --vuln-type os,library --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan.html ${imagename}_${tag}" + // sh "trivy image --ignore-unfixed --vuln-type os --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan.html ${imagename}_${tag}" + sh "trivy image --timeout 10m --ignore-unfixed --vuln-type os,library --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan-arm.html ${imagename}_${tag}:arm64" + // sh "trivy image --ignore-unfixed --vuln-type os --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan-arm.html ${imagename}_${tag}:arm64" + publishHTML target : [ + allowMissing: true, + alwaysLinkToLastBuild: true, + keepAll: true, + reportDir: 'reports', + reportFiles: 'container-scan.html', + reportName: 'Security Scan', + reportTitles: 'Security Scan' + ] + publishHTML target : [ + allowMissing: true, + alwaysLinkToLastBuild: true, + keepAll: true, + reportDir: 'reports', + reportFiles: 'container-scan-arm.html', + reportName: 'Security Scan (ARM)', + reportTitles: 'Security Scan (ARM)' + ] + // Scan again and fail on CRITICAL vulns + //below can be temporarily commented to prevent build from failing + echo "Scanning for CRITICAL vulnerabilities only (fatal)..." + // 2 scans below are temp (os scan only, no lib scan), while timeout issues are worked + // sh "trivy image --ignore-unfixed --vuln-type os,library --exit-code 1 --severity CRITICAL ${imagename}_${tag}" + // sh "trivy image --ignore-unfixed --vuln-type os,library --exit-code 1 --severity CRITICAL ${imagename}_${tag}:arm64" + sh "trivy image --ignore-unfixed --vuln-type os --exit-code 1 --severity CRITICAL ${imagename}_${tag}" + sh "trivy image --ignore-unfixed --vuln-type os --exit-code 1 --severity CRITICAL ${imagename}_${tag}:arm64" + //echo "Skipping scan for CRITICAL vulnerabilities (temporary)..." + } catch(error) { + def error_details = readFile('./debug'); + def message = "BUILD ERROR: There was a problem scanning ${imagename}:${tag}. \n\n ${error_details}" + sh "rm -f ./debug" + handleError(message) + } + } + } + } + stage('Push') { + steps { + script { + sh 'docker login -u tieradmin -p $DOCKERHUBPW' + // fails if already exists + // sh 'docker buildx create --use --name multiarch --append' + sh 'docker buildx inspect --bootstrap' + sh 'docker buildx ls' + echo "Pushing image to dockerhub..." + sh "docker buildx build --push --platform linux/arm64,linux/amd64 -t ${maintainer}/${imagename}:${tag} ." + } + } + } + stage('Cleanup') { + steps { + script { + try{ + echo "Cleaning up artifacts from the build..." + sh 'tests/cleanup.sh' + } catch(error) { + def error_details = readFile('./debug'); + def message = "BUILD ERROR: There was a problem with cleanup of the image. \n\n ${error_details}" + sh "rm -f ./debug" + handleError(message) + } + } + } + } + stage('Notify') { + steps{ + echo "$maintainer" + slackSend color: 'good', message: "$maintainer/$imagename:$tag pushed to DockerHub" + } + } } - - stage 'Test' - - try { - sh 'bin/test.sh 2>&1 | tee debug ; test ${PIPESTATUS[0]} -eq 0' - } catch (error) { - def error_details = readFile('./debug') - def message = "BUILD ERROR: There was a problem testing ${imagename}:${tag}. \n\n ${error_details}" - sh "rm -f ./debug" - handleError(message) - } - - stage 'Push' - - docker.withRegistry('https://registry.hub.docker.com/', "dockerhub-$previous_maintainer") { - def baseImg = docker.build("$maintainer/$imagename") - baseImg.push("$tag") + post { + always { + echo 'Done Building.' + } + failure { + // slackSend color: 'good', message: "Build failed" + handleError("BUILD ERROR: There was a problem building ${maintainer}/${imagename}:${tag}.") + } } - - docker.withRegistry('https://registry.hub.docker.com/', "dockerhub-$previous_maintainer") { - def altImg = docker.build("$previous_maintainer/$imagename") - altImg.push("$tag") - } - - stage 'Notify' - - slackSend color: 'good', message: "$maintainer/$imagename:$tag pushed to DockerHub" - } -def maintainer() { - def matcher = readFile('common.bash') =~ 'maintainer="(.+)"' - matcher ? matcher[0][1] : 'i2incommon' -} -def previous_maintainer() { - def matcher = readFile('common.bash') =~ 'previous_maintainer="(.+)"' +def maintain() { + def matcher = readFile('common.bash') =~ 'maintainer="(.+)"' matcher ? matcher[0][1] : 'tier' } @@ -110,7 +198,8 @@ def imagename() { def handleError(String message){ echo "${message}" currentBuild.setResult("FAILED") - slackSend color: 'danger', message: "${message} (<${env.BUILD_URL}|Open>)" + slackSend color: 'danger', message: "${message}" + //step([$class: 'Mailer', notifyEveryUnstableBuild: true, recipients: 'pcaskey@internet2.edu', sendToIndividuals: true]) sh 'exit 1' } diff --git a/container_files/idp/idp.installer.properties b/container_files/idp/idp.installer.properties index 3f4414b..4830266 100644 --- a/container_files/idp/idp.installer.properties +++ b/container_files/idp/idp.installer.properties @@ -1,4 +1,4 @@ -idp.src.dir=/tmp/shibboleth/shibboleth-identity-provider-4.1.4 +idp.src.dir=/tmp/shibboleth/shibboleth-identity-provider-5.0.0 idp.target.dir=/opt/shibboleth-idp idp.host.name=idp.example.org idp.sealer.password=changeit diff --git a/container_files/tomcat/idp-default.crt b/container_files/tomcat/idp-default.crt new file mode 100644 index 0000000..c086e61 --- /dev/null +++ b/container_files/tomcat/idp-default.crt @@ -0,0 +1,22 @@ +-----BEGIN CERTIFICATE----- +MIIDczCCAlugAwIBAgIEc3Xh/jANBgkqhkiG9w0BAQsFADBqMQswCQYDVQQGEwJV +UzELMAkGA1UECBMCVVMxETAPBgNVBAcTCEFueXdoZXJlMRQwEgYDVQQKEwtFeGFt +cGxlIE9yZzELMAkGA1UECxMCSVQxGDAWBgNVBAMTD2lkcC5leGFtcGxlLm9yZzAe +Fw0xODA2MTMxODE2NTZaFw0yODA2MTAxODE2NTZaMGoxCzAJBgNVBAYTAlVTMQsw +CQYDVQQIEwJVUzERMA8GA1UEBxMIQW55d2hlcmUxFDASBgNVBAoTC0V4YW1wbGUg +T3JnMQswCQYDVQQLEwJJVDEYMBYGA1UEAxMPaWRwLmV4YW1wbGUub3JnMIIBIjAN +BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAn29yHNKZZVM2dyA/MP8ItBnJiIHK +Bj4HJA+x/+7d9Uw0VKNYWLBGd6eo48wZNUx/fSkamgsJnJJEcQ9ZB6Kh7Sr5Cv+j +Kn+ttQ/xRBW/TOUInCi/+TE5tpHdqsc5jhvpDvJzyd4AjhWD98BRjnqO7Vdllh0h +XY0eWwnURTC5RTjnTy8x0k8NGl+4/gICWcab10uOS6WziT/BiwWZiAFK+30aOzqv +Qo9MLdP2iRNqhnXh21KCAEw/dm0iMOYa3c460cI5Wpz16BN0hBKJa2eLIsUz1Ei8 +e6d2bfgRsXSVuiwMG7/6kLcbqJSHMnLT2V17IzxpMMg4g2TV69MHAI0WfwIDAQAB +oyEwHzAdBgNVHQ4EFgQUnUHUCeihIylq0vGUhtaZ3radUncwDQYJKoZIhvcNAQEL +BQADggEBAJ47J4Q6Mgqt3TMyiwH0YTcL7KpFOTIX/BdaeG5c/QAuO+ASxxPeUSHd +gy1GymRxrQp/9XXCjGRIVwSsgrZ0IZHhogIZCOTA+j+kri0TtZrhkKy6TCFimd1J +JMmLmrT5uaEPAnL42jvet0rToPqx3gt9AdGbmWf+OyXT8pLMPRKvf6xTQSh1XJZH +CXbNcMzEp7wq3Z3vDQZ498CM7mEb7y+2cF0iCKydHSL0VvqmjDicj2+4J6qKHBFW +4cWkzmVmQTT8MEHYyq/Fif8ElE7PiRow3vhO7WEy7pfhcmrz3DPqRVDLk2AgmYBn +rPigRnfDmz0Cc/zvxbd3UxfRATCNYcU= +-----END CERTIFICATE----- + diff --git a/container_files/tomcat/idp-default.key b/container_files/tomcat/idp-default.key new file mode 100644 index 0000000..cea75aa --- /dev/null +++ b/container_files/tomcat/idp-default.key @@ -0,0 +1,29 @@ +-----BEGIN PRIVATE KEY----- +MIIEvQIBADANBgkqhkiG9w0BAQEFAASCBKcwggSjAgEAAoIBAQCfb3Ic0pllUzZ3 +ID8w/wi0GcmIgcoGPgckD7H/7t31TDRUo1hYsEZ3p6jjzBk1TH99KRqaCwmckkRx +D1kHoqHtKvkK/6Mqf621D/FEFb9M5QicKL/5MTm2kd2qxzmOG+kO8nPJ3gCOFYP3 +wFGOeo7tV2WWHSFdjR5bCdRFMLlFOOdPLzHSTw0aX7j+AgJZxpvXS45LpbOJP8GL +BZmIAUr7fRo7Oq9Cj0wt0/aJE2qGdeHbUoIATD92bSIw5hrdzjrRwjlanPXoE3SE +EolrZ4sixTPUSLx7p3Zt+BGxdJW6LAwbv/qQtxuolIcyctPZXXsjPGkwyDiDZNXr +0wcAjRZ/AgMBAAECggEAI43/3audZ7o54DEBxpRpRXimt9lxyxiUEReq8086klRv +KxzOO+D7pf1urXY7fOZVW/0JoKarew4nUytACHLdN32o0ioWIgkdHM60WCGdarF8 +zQ5NWW3/19YJn+cTz7wrqhipd7AZYZYsuthZl7N/IjCmR+axJSKuTVEQ1Gk8N9JR +rY8CujwI8RRtVd1NQwFc+mEgjesCvqctoBBRUI5oP5uhwkbF9TLbs0nLZ9Q6EXpi +LTViJA/q+/Qjl2Fi9V9291lMJfXEN5saNiFpYXGQtajEnzO30W7lTMi7IXHrSJpY +BiLiPpGL6Rsk/aV/Cmk9kg7hTKGfW0c4m4U92LRsAQKBgQDMtWUA38K2izrkBKZU +DjoV3QY0smA7V6RZtMuK9p4ntk23fE7SdcdJn6ILCUVl1V/TnFYRYIGbU4z/mBdb +YHwfqtcp69GzQNXc4aJFghB0HGKmbomMZKddDVKZ6YyTZLiLDoMKLyyauuL0unGe +b89CfqVK3KpqKQBkO0TMXibcfwKBgQDHYhf1VdobcJbNisRSGgl8DOgGSmc/KrCC +AHobcc9xtS+kXP8Fa6ymwA4aw8G5RZ21IWiqrsjRk1zb23CXm/d9EjWZygUmAfgb +ymHXJ9bQ1Vk/DDua/SbDHZf24C7VApac+1IOkjRwGflIL555ms5rLA2XlaniPFwA +1kVNbiTGAQKBgQCfhryvcbDLkLTT/MuhtXSOlS/A4UEc/a+WOM5l/MpDKE5oLvc+ +C4rCVSRydUcflKiYv7xSzmIyKWo3xM5u50HTa89BXASPLHd9KljK0hEAax51lK6c +OdQzL66vQtHKCzPFKgn0Zc7cxccX8DOaxIc/ynIFZPFoyYsEkSuMF9MxAQKBgAOW +PS4ZtEnIFb5u36dGdqM3rDjov8DAKNq93XR+8KdwBgJj9eaIEFwTmm1a1jJaEUM/ +7Z0cddpnV0VRRk5D7Qjf+fzhSIRthqQhWO9A9TlejTN4Kd5Y7YiXELPNRqpoWINM +diZy9OSLYxOsX6J6aXo+GaR/ecXrJhCRyj9hWuIBAoGAaOGaWVRmKISH8lf57SEV +fZCuPA1cplMpToHYK/uXdLBZuMkeG89jSLBN8fXx86KfRuUXrBDXgGs5zHF0BS7u +dvOtw+lGj3WhYcWg2D/9mUoiOQ9i9dSxDM/pg6BH65ZrhNlnBnjVrSyN2A4AjfRw +NfRiVLTvQIYmTSq8H+NxFAc= +-----END PRIVATE KEY----- + diff --git a/container_files/tomcat/jakarta.servlet.jsp.jstl-2.0.0.jar b/container_files/tomcat/jakarta.servlet.jsp.jstl-2.0.0.jar new file mode 100644 index 0000000..92712b0 Binary files /dev/null and b/container_files/tomcat/jakarta.servlet.jsp.jstl-2.0.0.jar differ diff --git a/container_files/tomcat/jakarta.servlet.jsp.jstl-api-2.0.0.jar b/container_files/tomcat/jakarta.servlet.jsp.jstl-api-2.0.0.jar new file mode 100644 index 0000000..81059ec Binary files /dev/null and b/container_files/tomcat/jakarta.servlet.jsp.jstl-api-2.0.0.jar differ diff --git a/container_files/tomcat/keystore.jks b/container_files/tomcat/keystore.jks deleted file mode 100644 index 6a28c4f..0000000 Binary files a/container_files/tomcat/keystore.jks and /dev/null differ diff --git a/container_files/tomcat/server.xml b/container_files/tomcat/server.xml index f25cad4..f316955 100644 --- a/container_files/tomcat/server.xml +++ b/container_files/tomcat/server.xml @@ -5,20 +5,23 @@ - - + + certificateFile="/opt/certs/idp-default.crt" + certificateKeyFile="/opt/certs/idp-default.key" /> - + diff --git a/test-compose/idp/Dockerfile b/test-compose/idp/Dockerfile index 23686e2..85006cb 100644 --- a/test-compose/idp/Dockerfile +++ b/test-compose/idp/Dockerfile @@ -1,4 +1,4 @@ -FROM tier/shib-idp:latest +FROM i2incommon/shib-idp:latest5 # The build args below can be used at build-time to tell the build process where to find your config files. This is for a completely burned-in config. ARG TOMCFG=config/tomcat diff --git a/test-compose/idp/container_files/config/tomcat/server.xml b/test-compose/idp/container_files/config/tomcat/server.xml index d0df37e..a5b21a9 100644 --- a/test-compose/idp/container_files/config/tomcat/server.xml +++ b/test-compose/idp/container_files/config/tomcat/server.xml @@ -4,12 +4,26 @@ - + + + + + + + + /dev/null echo "Launching fresh containers..." @@ -12,38 +15,34 @@ sleep 60 pushd tests &>/dev/null rm -f ./lastpage.txt -#ensure webisoget is installed -echo "ensuring that webisoget is installed..." -rpm -q webisoget &>/dev/null -if [ $? -ne '0' ]; then - echo "downloading webisoget rpm" - curl -s -L -o webisoget-2.8.7-1.x86_64.rpm https://github.internet2.edu/docker/util/blob/master/bin/webisoget-2.8.7-1.x86_64.rpm?raw=true - if [ -s webisoget-2.8.7-1.x86_64.rpm ]; then - echo "installing rpm..." - sudo rpm -ivh webisoget-2.8.7-1.x86_64.rpm - rm -f webisoget-2.8.7-1.x86_64.rpm - else - echo "can't get webisoget rpm..." - exit 1 - fi -else - echo "webisoget already installed..." -fi - #ensure that name resolution is in place ping -c 1 sptest.example.edu &>/dev/null if [ $? -ne '0' ]; then - echo "adding hosts record for sp..." - echo '127.0.0.1 sptest.example.edu' | sudo tee -a /etc/hosts + echo "ERROR: You must set name resolution for the IdP test suite on this host for tests to completei (SP missing)" + exit 1 +# echo "adding hosts record for sp..." +# echo '127.0.0.1 sptest.example.edu' | sudo tee -a /etc/hosts fi ping -c 1 idp.example.edu &>/dev/null if [ $? -ne '0' ]; then - echo "adding hosts record for idp..." - echo '127.0.0.1 idp.example.edu' | sudo tee -a /etc/hosts + echo "ERROR: You must set name resolution for the IdP test suite on this host for tests to completei (IdP missing)" + exit 1 +# echo "adding hosts record for idp..." +# echo '127.0.0.1 idp.example.edu' | sudo tee -a /etc/hosts fi +# replace FROM line in IdP Dockerfile to newly-built local image +echo "Setting test suite to base from new IdP image: ${imagename}_${tag}" +sed -i "s*FROM i2incommon/shib-idp:latest5*FROM ${imagename}_${tag}*g" ../test-compose/idp/Dockerfile + echo "Attempting full-cycle test..." -webisoget -verbose -out ./lastpage.txt -formfile ./sptest.login -url https://sptest.example.edu:8443/secure/index.php + +#build webisoget container +pushd ../test-compose/webisoget/ &>/dev/null +docker build -t webisoget . +popd &>/dev/null + +docker run --net host -w /webisoget/ -i webisoget /bin/bash -c "rm -f lastpage.txt & webisoget -out ./lastpage.txt -maxhop 100 -timeout 120 -formfile /webisoget/sptest.login -url https://sptest.example.edu:8443/secure/index.php && cat lastpage.txt" > lastpage.txt if [ -s ./lastpage.txt ]; then cat lastpage.txt | grep kwhite@example.edu &>/dev/null diff --git a/tests/main.bats b/tests/main.bats index 4fa64f1..75a5d29 100644 --- a/tests/main.bats +++ b/tests/main.bats @@ -3,11 +3,11 @@ load ../common @test "010 Image is present and healthy" { - docker image inspect ${maintainer}/${imagename} + docker image inspect ${imagename}_${tag} } @test "020 All key files are present" { - docker run --rm -i ${maintainer}/${imagename} \ + docker run --rm -i ${imagename}_${tag} \ find \ /opt/shibboleth-idp/credentials/idp-encryption.crt \ /opt/shibboleth-idp/credentials/idp-encryption.key \ @@ -18,10 +18,10 @@ load ../common } @test "030 Port 443/https is listening" { - docker run -d ${maintainer}/${imagename} + docker run -d ${imagename}_${tag} sleep 25 #get cont id - contid=$(docker ps | grep ${maintainer}/${imagename} | cut -f 1 -d ' ') + contid=$(docker ps | grep ${imagename}_${tag} | cut -f 1 -d ' ') run docker exec -i ${contid} sh -c 'cat < /dev/null > /dev/tcp/127.0.0.1/443' docker kill ${contid} &>/dev/null docker rm ${contid} &>/dev/null @@ -29,9 +29,9 @@ load ../common } @test "040 The IdP Status page is present" { - docker run -d ${maintainer}/${imagename} + docker run -d ${imagename}_${tag} sleep 60 - contid2=$(docker ps | grep ${maintainer}/${imagename} | cut -f 1 -d ' ') + contid2=$(docker ps | grep ${imagename}_${tag} | cut -f 1 -d ' ') run docker exec -i ${contid2} sh -c 'curl -I -k -s -f https://127.0.0.1/idp/status' docker kill ${contid2} &>/dev/null docker rm ${contid2} &>/dev/null @@ -39,18 +39,14 @@ load ../common } @test "050 The version of Tomcat is current" { - ./tests/checktomcatver.sh ${maintainer}/${imagename} + ./tests/checktomcatver.sh ${imagename}_${tag} } @test "060 The version of the IdP is current" { - ./tests/checkidpver.sh ${maintainer}/${imagename} + ./tests/checkidpver.sh ${imagename}_${tag} } -@test "070 There are no known security vulnerabilities" { - ./tests/clairscan.sh ${maintainer}/${imagename}:latest -} - -@test "080 The IdP successfully completed a full-cycle test with an SP" { +@test "070 The IdP successfully completed a full-cycle test with an SP" { ./tests/fulltest.sh }