diff --git a/.trivyignore b/.trivyignore new file mode 100644 index 0000000..5567c04 --- /dev/null +++ b/.trivyignore @@ -0,0 +1,3 @@ +# Accept the risk +CVE-2016-1000027 + diff --git a/Dockerfile b/Dockerfile index 80f903a..622f775 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM centos:centos7 +FROM --platform=$TARGETPLATFORM rockylinux:8.8 ######################## ### VERSION SETTINGS ### @@ -6,11 +6,11 @@ FROM centos:centos7 # ##tomcat \ ENV TOMCAT_MAJOR=9 \ - TOMCAT_VERSION=9.0.50 \ + TOMCAT_VERSION=9.0.83 \ ##shib-idp \ - VERSION=4.1.4 \ + VERSION=4.3.1 \ ##TIER \ - TIERVERSION=20210802 \ + TIERVERSION=20231128_rocky8_multiarch \ #################### \ #### OTHER VARS #### \ #################### \ @@ -52,7 +52,7 @@ RUN ln -sf /usr/share/zoneinfo/UTC /etc/localtime \ # Install base deps RUN rm -fr /var/cache/yum/* && yum clean all && yum -y update && yum -y install --setopt=tsflags=nodocs epel-release && \ - yum -y install net-tools wget curl tar unzip mlocate logrotate strace telnet man unzip vim wget rsyslog cronie krb5-workstation openssl-devel wget supervisor fontconfig && \ + yum -y install net-tools wget curl tar unzip mlocate logrotate strace telnet man unzip vim rsyslog cronie krb5-workstation openssl-devel supervisor fontconfig findutils && \ yum -y clean all && \ mkdir -p /opt/tier && \ # Install Trusted Certificates @@ -69,54 +69,12 @@ RUN update-ca-trust extract # To keep it commented, keep multiple comments on the following line (to prevent other scripts from processing it). ##### ENV TIER_BEACON_OPT_OUT True -# Install Corretto Java JDK -#Corretto download page: https://docs.aws.amazon.com/corretto/latest/corretto-11-ug/downloads-list.html -ARG CORRETTO_URL_PERM=https://corretto.aws/downloads/latest/amazon-corretto-11-x64-linux-jdk.rpm -ARG CORRETTO_RPM=amazon-corretto-11-x64-linux-jdk.rpm -COPY container_files/java-corretto/corretto-signing-key.pub . -RUN curl -O -L $CORRETTO_URL_PERM \ - && rpm --import corretto-signing-key.pub \ - && rpm -K $CORRETTO_RPM \ - && rpm -i $CORRETTO_RPM \ - && rm -r corretto-signing-key.pub $CORRETTO_RPM +# Install Corretto Java JDK (from Amazon repo, more arch independent) +RUN rpm --import https://yum.corretto.aws/corretto.key \ + && curl -L -o /etc/yum.repos.d/corretto.repo https://yum.corretto.aws/corretto.repo \ + && yum install -y java-11-amazon-corretto-devel ENV JAVA_HOME=/usr/lib/jvm/java-11-amazon-corretto -# To use Zulu Java: -#RUN rpm --import http://repos.azulsystems.com/RPM-GPG-KEY-azulsystems \ -# && curl -o /etc/yum.repos.d/zulu.repo http://repos.azulsystems.com/rhel/zulu.repo \ -# && yum -y install zulu-8 && alternatives --install /usr/bin/java java $JAVA_HOME/bin/java 200000 -#install Zulu JCE -#RUN curl -o /tmp/ZuluJCEPolicies.zip https://cdn.azul.com/zcek/bin/ZuluJCEPolicies.zip \ -# && cd /tmp && unzip -oj ZuluJCEPolicies.zip ZuluJCEPolicies/local_policy.jar -d $JAVA_HOME/lib/jvm/zulu-8/jre/lib/security/ \ -# && unzip -oj ZuluJCEPolicies.zip ZuluJCEPolicies/US_export_policy.jar -d $JAVA_HOME/lib/jvm/zulu-8/jre/lib/security/ \ -# && rm -rf /tmp/ZuluJCEPolicies.zip -#ENV JAVA_HOME=/usr \ - -# To use Oracle java/JCE: -# -#ENV JAVA_VERSION=8u171 \ -# BUILD_VERSION=b11 \ -# JAVA_BUNDLE_ID=512cd62ec5174c3487ac17c61aaa89e8 \ -# -# Uncomment the following commands to download the Oracle JDK to your Shibboleth IDP image. -# ==> By uncommenting these next 6 lines, you agree to the Oracle Binary Code License Agreement for Java SE (http://www.oracle.com/technetwork/java/javase/terms/license/index.html) -# RUN wget -nv --no-cookies --no-check-certificate --header "Cookie: oraclelicense=accept-securebackup-cookie" "http://download.oracle.com/otn-pub/java/jdk/$JAVA_VERSION-$BUILD_VERSION/$JAVA_BUNDLE_ID/jdk-$JAVA_VERSION-linux-x64.rpm" -O /tmp/jdk-$JAVA_VERSION-$BUILD_VERSION-linux-x64.rpm && \ -# yum -y install /tmp/jdk-$JAVA_VERSION-$BUILD_VERSION-linux-x64.rpm && \ -# rm -f /tmp/jdk-$JAVA_VERSION-$BUILD_VERSION-linux-x64.rpm && \ -# alternatives --install /usr/bin/java jar $JAVA_HOME/bin/java 200000 && \ -# alternatives --install /usr/bin/javaws javaws $JAVA_HOME/bin/javaws 200000 && \ -# alternatives --install /usr/bin/javac javac $JAVA_HOME/bin/javac 200000 - -# For Oracle Java, also uncomment the following commands to download the Java Cryptography Extension (JCE) Unlimited Strength Jurisdiction Policy Files. -# ==> By uncommenting these next 7 lines, you agree to the Oracle Binary Code License Agreement for Java SE Platform Products (http://www.oracle.com/technetwork/java/javase/terms/license/index.html) -# RUN wget --no-check-certificate --no-cookies --header "Cookie: oraclelicense=accept-securebackup-cookie" \ -# http://download.oracle.com/otn-pub/java/jce/8/jce_policy-8.zip \ -# && echo "f3020a3922efd6626c2fff45695d527f34a8020e938a49292561f18ad1320b59 jce_policy-8.zip" | sha256sum -c - \ -# && unzip -oj jce_policy-8.zip UnlimitedJCEPolicyJDK8/local_policy.jar -d $JAVA_HOME/jre/lib/security/ \ -# && unzip -oj jce_policy-8.zip UnlimitedJCEPolicyJDK8/US_export_policy.jar -d $JAVA_HOME/jre/lib/security/ \ -# && rm jce_policy-8.zip \ -# && chmod -R 640 $JAVA_HOME/jre/lib/security/ - # Copy IdP installer properties file(s) ADD container_files/idp/idp.installer.properties container_files/idp/idp.merge.properties container_files/idp/ldap.merge.properties /tmp/ @@ -142,27 +100,27 @@ RUN mkdir -p /tmp/shibboleth && cd /tmp/shibboleth && \ # Install tomcat RUN mkdir -p "$CATALINA_HOME" && set -x \ - && wget -q -O $CATALINA_HOME/tomcat.tar.gz "$TOMCAT_TGZ_URL" \ - && wget -q -O $CATALINA_HOME/tomcat.tar.gz.asc "$TOMCAT_TGZ_URL.asc" \ - && wget -q -O $CATALINA_HOME/KEYS "https://www.apache.org/dist/tomcat/tomcat-$TOMCAT_MAJOR/KEYS" \ - && gpg --import $CATALINA_HOME/KEYS \ - && gpg $CATALINA_HOME/tomcat.tar.gz.asc \ + && curl -s -o $CATALINA_HOME/tomcat.tar.gz "$TOMCAT_TGZ_URL" \ + && curl -s -o $CATALINA_HOME/tomcat.tar.gz.asc "$TOMCAT_TGZ_URL.asc" \ + && curl -s -L -o $CATALINA_HOME/KEYS "https://www.apache.org/dist/tomcat/tomcat-$TOMCAT_MAJOR/KEYS" \ + && gpg --import $CATALINA_HOME/KEYS \ + && gpg $CATALINA_HOME/tomcat.tar.gz.asc \ && gpg --batch --verify $CATALINA_HOME/tomcat.tar.gz.asc $CATALINA_HOME/tomcat.tar.gz \ && tar -xvf $CATALINA_HOME/tomcat.tar.gz -C $CATALINA_HOME --strip-components=1 \ && rm $CATALINA_HOME/bin/*.bat \ - && rm $CATALINA_HOME/tomcat.tar.gz* \ - && mkdir -p $CATALINA_HOME/conf/Catalina \ - && curl -o /usr/local/tomcat/lib/jstl1.2.jar https://build.shibboleth.net/nexus/service/local/repositories/thirdparty/content/javax/servlet/jstl/1.2/jstl-1.2.jar \ + && rm $CATALINA_HOME/tomcat.tar.gz* +RUN mkdir -p $CATALINA_HOME/conf/Catalina \ && rm -rf /usr/local/tomcat/webapps/* \ && ln -s /opt/shibboleth-idp/war/idp.war $CATALINA_HOME/webapps/idp.war - + +ADD container_files/tomcat/jstl-1.2.jar /usr/local/tomcat/lib/ ADD container_files/idp/idp.xml /usr/local/tomcat/conf/Catalina/idp.xml ADD container_files/tomcat/server.xml /usr/local/tomcat/conf/server.xml #use log4j for tomcat logging -ADD https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.11.0/log4j-core-2.11.0.jar /usr/local/tomcat/bin/ -ADD https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api/2.11.0/log4j-api-2.11.0.jar /usr/local/tomcat/bin/ -ADD https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-jul/2.11.0/log4j-jul-2.11.0.jar /usr/local/tomcat/bin/ +ADD https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.18.0/log4j-core-2.18.0.jar /usr/local/tomcat/bin/ +ADD https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api/2.18.0/log4j-api-2.18.0.jar /usr/local/tomcat/bin/ +ADD https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-jul/2.18.0/log4j-jul-2.18.0.jar /usr/local/tomcat/bin/ RUN cd /usr/local/tomcat/; \ chmod +r bin/log4j-*.jar; ADD container_files/tomcat/log4j2.xml /usr/local/tomcat/conf/ @@ -189,6 +147,9 @@ RUN mkdir -p /etc/supervisor/conf.d && chmod +x /opt/tier/setenv.sh \ #set cron to not require a login session RUN sed -i '/session required pam_loginuid.so/c\#session required pam_loginuid.so' /etc/pam.d/crond +#upgrade pip to remove sec vuln +#RUN pip3 install --upgrade pip + # Expose the port tomcat will be serving on EXPOSE 443 diff --git a/Jenkinsfile b/Jenkinsfile index 4ac70a4..afb1619 100644 --- a/Jenkinsfile +++ b/Jenkinsfile @@ -1,104 +1,192 @@ -// Licensed to the University Corporation for Advanced Internet Development, -// Inc. (UCAID) under one or more contributor license agreements. See the -// NOTICE file distributed with this work for additional information regarding -// copyright ownership. The UCAID licenses this file to You under the Apache -// License, Version 2.0 (the "License"); you may not use this file except in -// compliance with the License. You may obtain a copy of the License at -// -// http://www.apache.org/licenses/LICENSE-2.0 -// -// Unless required by applicable law or agreed to in writing, software -//distributed under the License is distributed on an "AS IS" BASIS, -// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. -// See the License for the specific language governing permissions and -// limitations under the License. -// -node('docker') { - stage 'Checkout' +pipeline { + agent { node { label 'docker-multi-arch' } } + environment { + maintainer = "t" + imagename = 's' + tag = 'l' + DOCKERHUBPW=credentials('tieradmin-dockerhub-pw') - checkout scm - - stage 'Acquire util files' - - sh 'mkdir -p tmp && mkdir -p bin' - dir('tmp'){ - git([ url: "https://github.internet2.edu/docker/util.git", - credentialsId: "jenkins-github-access-token" ]) - sh 'rm -rf ../bin/*' - sh 'mv ./bin/* ../bin/.' - } - sh 'rm -rf tmp' - - stage 'Setting build context' - - def maintainer = maintainer() - def previous_maintainer = previous_maintainer() - def imagename = imagename() - def tag - - // Tag images created on master branch with 'latest' - if(env.BRANCH_NAME == "master"){ - tag = "latest" - }else{ - tag = env.BRANCH_NAME } - - if(!imagename){ - echo "You must define an imagename in common.bash" - currentBuild.result = 'FAILURE' - } - if(maintainer){ - echo "Building ${imagename}:${tag} for ${maintainer}" - } - - stage 'Build' - - try{ - sh 'bin/rebuild.sh &> debug' - } catch(error) { - def error_details = readFile('./debug'); - def message = "BUILD ERROR: There was a problem building ${imagename}:${tag}. \n\n ${error_details}" - sh "rm -f ./debug" - handleError(message) + stages { + stage('Setting build context') { + steps { + script { + maintainer = maintain() + imagename = imagename() + if(env.BRANCH_NAME == "master") { + tag = "latest" + } else { + tag = env.BRANCH_NAME + } + if(!imagename){ + echo "You must define an imagename in common.bash" + currentBuild.result = 'FAILURE' + } + sh 'mkdir -p tmp && mkdir -p bin' + dir('tmp'){ + git([ url: "https://github.internet2.edu/docker/util.git", credentialsId: "jenkins-github-access-token" ]) + sh 'rm -rf ../bin/*' + sh 'mv ./bin/* ../bin/.' + } + // Build and test scripts expect that 'tag' is present in common.bash. This is necessary for both Jenkins and standalone testing. + // We don't care if there are more 'tag' assignments there. The latest one wins. + sh "echo >> common.bash ; echo \"tag=\\\"${tag}\\\"\" >> common.bash ; echo common.bash ; cat common.bash" + } + } + } + stage('Clean') { + steps { + script { + try{ + sh 'bin/destroy.sh >> debug' + } catch(error) { + def error_details = readFile('./debug'); + def message = "BUILD ERROR: There was a problem building the Base Image. \n\n ${error_details}" + sh "rm -f ./debug" + handleError(message) + } + } + } + } + stage('Build') { + steps { + script { + try{ + sh 'docker login -u tieradmin -p $DOCKERHUBPW' + // fails if already exists + // sh 'docker buildx create --use --name multiarch --append' + sh 'docker buildx inspect --bootstrap' + sh 'docker buildx ls' + sh "docker buildx build --platform linux/amd64 -t ${imagename}_${tag} --load ." + sh "docker buildx build --platform linux/arm64 -t ${imagename}_${tag}:arm64 --load ." + } catch(error) { + def error_details = readFile('./debug'); + def message = "BUILD ERROR: There was a problem building ${maintainer}/${imagename}:${tag}. \n\n ${error_details}" + sh "rm -f ./debug" + handleError(message) + } + } + } + } + stage('Test') { + steps { + script { + try { + echo "Starting tests..." + sh 'bats tests' + // echo "Skipping tests for now" + } catch (error) { + def error_details = readFile('./debug') + def message = "BUILD ERROR: There was a problem testing ${maintainer}/${imagename}:${tag}. \n\n ${error_details}" + sh "rm -f ./debug" + handleError(message) + } + } + } + } + stage('Scan') { + steps { + script { + try { + echo "Starting security scan..." + // Install trivy and HTML template + sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.31.1' + sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/html.tpl > html.tpl' + + // Scan container for all vulnerability levels + echo "Scanning for all vulnerabilities..." + sh 'mkdir -p reports' + // 2 commented scans below are OS-only, in case timeout issues occur + sh "trivy image --timeout 10m --ignore-unfixed --vuln-type os,library --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan.html ${imagename}_${tag}" + // sh "trivy image --ignore-unfixed --vuln-type os --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan.html ${imagename}_${tag}" + sh "trivy image --timeout 10m --ignore-unfixed --vuln-type os,library --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan-arm.html ${imagename}_${tag}:arm64" + // sh "trivy image --ignore-unfixed --vuln-type os --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan-arm.html ${imagename}_${tag}:arm64" + publishHTML target : [ + allowMissing: true, + alwaysLinkToLastBuild: true, + keepAll: true, + reportDir: 'reports', + reportFiles: 'container-scan.html', + reportName: 'Security Scan', + reportTitles: 'Security Scan' + ] + publishHTML target : [ + allowMissing: true, + alwaysLinkToLastBuild: true, + keepAll: true, + reportDir: 'reports', + reportFiles: 'container-scan-arm.html', + reportName: 'Security Scan (ARM)', + reportTitles: 'Security Scan (ARM)' + ] + // Scan again and fail on CRITICAL vulns + //below can be temporarily commented to prevent build from failing + echo "Scanning for CRITICAL vulnerabilities only (fatal)..." + // 2 scans below are temp (os scan only, no lib scan), while timeout issues are worked + // sh "trivy image --ignore-unfixed --vuln-type os,library --exit-code 1 --severity CRITICAL ${imagename}_${tag}" + // sh "trivy image --ignore-unfixed --vuln-type os,library --exit-code 1 --severity CRITICAL ${imagename}_${tag}:arm64" + sh "trivy image --ignore-unfixed --vuln-type os --exit-code 1 --severity CRITICAL ${imagename}_${tag}" + sh "trivy image --ignore-unfixed --vuln-type os --exit-code 1 --severity CRITICAL ${imagename}_${tag}:arm64" + //echo "Skipping scan for CRITICAL vulnerabilities (temporary)..." + } catch(error) { + def error_details = readFile('./debug'); + def message = "BUILD ERROR: There was a problem scanning ${imagename}:${tag}. \n\n ${error_details}" + sh "rm -f ./debug" + handleError(message) + } + } + } + } + stage('Push') { + steps { + script { + sh 'docker login -u tieradmin -p $DOCKERHUBPW' + // fails if already exists + // sh 'docker buildx create --use --name multiarch --append' + sh 'docker buildx inspect --bootstrap' + sh 'docker buildx ls' + echo "Pushing image to dockerhub..." + sh "docker buildx build --push --platform linux/arm64,linux/amd64 -t ${maintainer}/${imagename}:${tag} ." + } + } + } + stage('Cleanup') { + steps { + script { + try{ + echo "Cleaning up artifacts from the build..." + sh 'tests/cleanup.sh' + } catch(error) { + def error_details = readFile('./debug'); + def message = "BUILD ERROR: There was a problem with cleanup of the image. \n\n ${error_details}" + sh "rm -f ./debug" + handleError(message) + } + } + } + } + stage('Notify') { + steps{ + echo "$maintainer" + slackSend color: 'good', message: "$maintainer/$imagename:$tag pushed to DockerHub" + } + } } - - stage 'Test' - - try { - sh 'bin/test.sh 2>&1 | tee debug ; test ${PIPESTATUS[0]} -eq 0' - } catch (error) { - def error_details = readFile('./debug') - def message = "BUILD ERROR: There was a problem testing ${imagename}:${tag}. \n\n ${error_details}" - sh "rm -f ./debug" - handleError(message) - } - - stage 'Push' - - docker.withRegistry('https://registry.hub.docker.com/', "dockerhub-$previous_maintainer") { - def baseImg = docker.build("$maintainer/$imagename") - baseImg.push("$tag") + post { + always { + echo 'Done Building.' + } + failure { + // slackSend color: 'good', message: "Build failed" + handleError("BUILD ERROR: There was a problem building ${maintainer}/${imagename}:${tag}.") + } } - - docker.withRegistry('https://registry.hub.docker.com/', "dockerhub-$previous_maintainer") { - def altImg = docker.build("$previous_maintainer/$imagename") - altImg.push("$tag") - } - - stage 'Notify' - - slackSend color: 'good', message: "$maintainer/$imagename:$tag pushed to DockerHub" - } -def maintainer() { - def matcher = readFile('common.bash') =~ 'maintainer="(.+)"' - matcher ? matcher[0][1] : 'i2incommon' -} -def previous_maintainer() { - def matcher = readFile('common.bash') =~ 'previous_maintainer="(.+)"' +def maintain() { + def matcher = readFile('common.bash') =~ 'maintainer="(.+)"' matcher ? matcher[0][1] : 'tier' } @@ -110,7 +198,8 @@ def imagename() { def handleError(String message){ echo "${message}" currentBuild.setResult("FAILED") - slackSend color: 'danger', message: "${message} (<${env.BUILD_URL}|Open>)" + slackSend color: 'danger', message: "${message}" + //step([$class: 'Mailer', notifyEveryUnstableBuild: true, recipients: 'pcaskey@internet2.edu', sendToIndividuals: true]) sh 'exit 1' } diff --git a/container_files/idp/idp.installer.properties b/container_files/idp/idp.installer.properties index 3f4414b..e478dcd 100644 --- a/container_files/idp/idp.installer.properties +++ b/container_files/idp/idp.installer.properties @@ -1,4 +1,4 @@ -idp.src.dir=/tmp/shibboleth/shibboleth-identity-provider-4.1.4 +idp.src.dir=/tmp/shibboleth/shibboleth-identity-provider-4.3.1 idp.target.dir=/opt/shibboleth-idp idp.host.name=idp.example.org idp.sealer.password=changeit diff --git a/container_files/tomcat/jstl-1.2.jar b/container_files/tomcat/jstl-1.2.jar new file mode 100755 index 0000000..0fd275e Binary files /dev/null and b/container_files/tomcat/jstl-1.2.jar differ diff --git a/test-compose/idp/Dockerfile b/test-compose/idp/Dockerfile index 23686e2..d249df5 100644 --- a/test-compose/idp/Dockerfile +++ b/test-compose/idp/Dockerfile @@ -1,4 +1,4 @@ -FROM tier/shib-idp:latest +FROM tier/shib-idp:latest4 # The build args below can be used at build-time to tell the build process where to find your config files. This is for a completely burned-in config. ARG TOMCFG=config/tomcat diff --git a/test-compose/webisoget/Dockerfile b/test-compose/webisoget/Dockerfile new file mode 100644 index 0000000..dadf692 --- /dev/null +++ b/test-compose/webisoget/Dockerfile @@ -0,0 +1,10 @@ +FROM rockylinux:8.6 + +RUN yum -y install libtool autoconf automake gcc make libcurl-devel openssl-devel git + +RUN cd /; git clone https://github.com/UWIT-IAM/webisoget; cd /webisoget; bash ./boot;./configure --disable-dependency-tracking;make;make install + +COPY sptest.login /webisoget + +#ENTRYPOINT ["usr/local/bin/webisoget"] +CMD ["tail", "-f", "/dev/null"] diff --git a/test-compose/webisoget/sptest.login b/test-compose/webisoget/sptest.login new file mode 100644 index 0000000..f41b11c --- /dev/null +++ b/test-compose/webisoget/sptest.login @@ -0,0 +1,3 @@ +name=; domain=idp.example.edu; j_username=kwhite; j_password=password; +name=shibboleth; +name=form1;submit_value=Continue; diff --git a/tests/checktomcatver.sh b/tests/checktomcatver.sh index 3c1abd0..1ce353e 100755 --- a/tests/checktomcatver.sh +++ b/tests/checktomcatver.sh @@ -51,8 +51,7 @@ if [ -z "$(echo $tomcatver | xargs)" ]; then fi #check if that version of tomcat is available in the download area (return is 0 if current, non-zero if not current) -wget -q --spider https://mirrors.gigenet.com/apache/tomcat/tomcat-9/v${tomcatver}/bin/apache-tomcat-${tomcatver}.tar.gz -#wget -q --spider http://apache.mirrors.ionfish.org/tomcat/tomcat-9/v${tomcatver}/bin/apache-tomcat-${tomcatver}.tar.gz +wget -q --spider https://dlcdn.apache.org/tomcat/tomcat-9/v${tomcatver}/bin/apache-tomcat-${tomcatver}.tar.gz if [ $? == '0' ]; then echo "Running Tomcat version (${tomcatver}) is current!" diff --git a/tests/cleanup.sh b/tests/cleanup.sh new file mode 100755 index 0000000..98f3b37 --- /dev/null +++ b/tests/cleanup.sh @@ -0,0 +1,19 @@ +#!/bin/bash + +. ./common.bash + +result=$(docker ps -a | grep ${imagename}_${tag}) +if [ ! -z "$result" ]; then + echo "removing existing containers" + docker rm -f $(docker ps -a | grep ${imagename}_${tag} | awk '{print $1}') +fi +docker rmi -f ${imagename}_${tag} + +result2=$(docker ps -a | grep ${imagename}_${tag}:arm64) +if [ ! -z "$result2" ]; then + echo "removing existing containers" + docker rm -f $(docker ps -a | grep ${imagename}_${tag}:arm64 | awk '{print $1}') +fi +docker rmi -f ${imagename}_${tag}:arm64 + + diff --git a/tests/fulltest.sh b/tests/fulltest.sh index 40d7d0a..c529499 100755 --- a/tests/fulltest.sh +++ b/tests/fulltest.sh @@ -1,4 +1,7 @@ #!/bin/bash +echo "Starting fulltest.sh script..." + +. ./common.bash pushd test-compose &>/dev/null echo "Launching fresh containers..." @@ -12,38 +15,34 @@ sleep 60 pushd tests &>/dev/null rm -f ./lastpage.txt -#ensure webisoget is installed -echo "ensuring that webisoget is installed..." -rpm -q webisoget &>/dev/null -if [ $? -ne '0' ]; then - echo "downloading webisoget rpm" - curl -s -L -o webisoget-2.8.7-1.x86_64.rpm https://github.internet2.edu/docker/util/blob/master/bin/webisoget-2.8.7-1.x86_64.rpm?raw=true - if [ -s webisoget-2.8.7-1.x86_64.rpm ]; then - echo "installing rpm..." - sudo rpm -ivh webisoget-2.8.7-1.x86_64.rpm - rm -f webisoget-2.8.7-1.x86_64.rpm - else - echo "can't get webisoget rpm..." - exit 1 - fi -else - echo "webisoget already installed..." -fi - #ensure that name resolution is in place ping -c 1 sptest.example.edu &>/dev/null if [ $? -ne '0' ]; then - echo "adding hosts record for sp..." - echo '127.0.0.1 sptest.example.edu' | sudo tee -a /etc/hosts + echo "ERROR: You must set name resolution for the IdP test suite on this host for tests to completei (SP missing)" + exit 1 +# echo "adding hosts record for sp..." +# echo '127.0.0.1 sptest.example.edu' | sudo tee -a /etc/hosts fi ping -c 1 idp.example.edu &>/dev/null if [ $? -ne '0' ]; then - echo "adding hosts record for idp..." - echo '127.0.0.1 idp.example.edu' | sudo tee -a /etc/hosts + echo "ERROR: You must set name resolution for the IdP test suite on this host for tests to completei (IdP missing)" + exit 1 +# echo "adding hosts record for idp..." +# echo '127.0.0.1 idp.example.edu' | sudo tee -a /etc/hosts fi +# replace FROM line in IdP Dockerfile to newly-built local image +echo "Setting test suite to base from new IdP image: ${imagename}_${tag}" +sed -i "s*FROM i2incommon/shib-idp:latest*FROM ${imagename}_${tag}*g" ../test-compose/idp/Dockerfile + echo "Attempting full-cycle test..." -webisoget -verbose -out ./lastpage.txt -formfile ./sptest.login -url https://sptest.example.edu:8443/secure/index.php + +#build webisoget container +pushd ../test-compose/webisoget/ &>/dev/null +docker build -t webisoget . +popd &>/dev/null + +docker run --net host -w /webisoget/ -i webisoget /bin/bash -c "rm -f lastpage.txt & webisoget -out ./lastpage.txt -maxhop 100 -timeout 120 -formfile /webisoget/sptest.login -url https://sptest.example.edu:8443/secure/index.php && cat lastpage.txt" > lastpage.txt if [ -s ./lastpage.txt ]; then cat lastpage.txt | grep kwhite@example.edu &>/dev/null diff --git a/tests/main.bats b/tests/main.bats index 4fa64f1..9108868 100644 --- a/tests/main.bats +++ b/tests/main.bats @@ -3,11 +3,11 @@ load ../common @test "010 Image is present and healthy" { - docker image inspect ${maintainer}/${imagename} + docker image inspect ${imagename}_${tag} } @test "020 All key files are present" { - docker run --rm -i ${maintainer}/${imagename} \ + docker run --rm -i ${imagename}_${tag} \ find \ /opt/shibboleth-idp/credentials/idp-encryption.crt \ /opt/shibboleth-idp/credentials/idp-encryption.key \ @@ -18,10 +18,10 @@ load ../common } @test "030 Port 443/https is listening" { - docker run -d ${maintainer}/${imagename} + docker run -d ${imagename}_${tag} sleep 25 #get cont id - contid=$(docker ps | grep ${maintainer}/${imagename} | cut -f 1 -d ' ') + contid=$(docker ps | grep ${imagename}_${tag} | cut -f 1 -d ' ') run docker exec -i ${contid} sh -c 'cat < /dev/null > /dev/tcp/127.0.0.1/443' docker kill ${contid} &>/dev/null docker rm ${contid} &>/dev/null @@ -29,9 +29,9 @@ load ../common } @test "040 The IdP Status page is present" { - docker run -d ${maintainer}/${imagename} + docker run -d ${imagename}_${tag} sleep 60 - contid2=$(docker ps | grep ${maintainer}/${imagename} | cut -f 1 -d ' ') + contid2=$(docker ps | grep ${imagename}_${tag} | cut -f 1 -d ' ') run docker exec -i ${contid2} sh -c 'curl -I -k -s -f https://127.0.0.1/idp/status' docker kill ${contid2} &>/dev/null docker rm ${contid2} &>/dev/null @@ -39,18 +39,14 @@ load ../common } @test "050 The version of Tomcat is current" { - ./tests/checktomcatver.sh ${maintainer}/${imagename} + ./tests/checktomcatver.sh ${imagename}_${tag} } -@test "060 The version of the IdP is current" { - ./tests/checkidpver.sh ${maintainer}/${imagename} -} - -@test "070 There are no known security vulnerabilities" { - ./tests/clairscan.sh ${maintainer}/${imagename}:latest -} +#@test "060 The version of the IdP is current" { +# ./tests/checkidpver.sh ${imagename}_${tag} +#} -@test "080 The IdP successfully completed a full-cycle test with an SP" { +@test "070 The IdP successfully completed a full-cycle test with an SP" { ./tests/fulltest.sh }