diff --git a/.trivyignore b/.trivyignore
new file mode 100644
index 0000000..5567c04
--- /dev/null
+++ b/.trivyignore
@@ -0,0 +1,3 @@
+# Accept the risk
+CVE-2016-1000027
+
diff --git a/Dockerfile b/Dockerfile
index 7318a80..fb251c6 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,4 +1,4 @@
-FROM centos:centos7
+FROM --platform=$TARGETPLATFORM rockylinux:8.8
########################
### VERSION SETTINGS ###
@@ -6,11 +6,11 @@ FROM centos:centos7
#
##tomcat \
ENV TOMCAT_MAJOR=10 \
- TOMCAT_VERSION=10.1.13 \
+ TOMCAT_VERSION=10.1.17 \
##shib-idp \
VERSION=5.0.0 \
##TIER \
- TIERVERSION=20230914 \
+ TIERVERSION=20231218_rocky8_multiarch \
#################### \
#### OTHER VARS #### \
#################### \
@@ -39,7 +39,7 @@ ENV ENABLE_SEALER_KEY_ROTATION=True
LABEL Vendor="Internet2" \
ImageType="Shibboleth IDP Release" \
ImageName=$imagename \
- ImageOS=centos7 \
+ ImageOS=RockyLinux8 \
Version=$VERSION
#########################
@@ -52,7 +52,7 @@ RUN ln -sf /usr/share/zoneinfo/UTC /etc/localtime \
# Install base deps
RUN rm -fr /var/cache/yum/* && yum clean all && yum -y update && yum -y install --setopt=tsflags=nodocs epel-release && \
- yum -y install net-tools wget curl tar unzip mlocate logrotate strace telnet man unzip vim wget rsyslog cronie krb5-workstation openssl-devel wget supervisor fontconfig && \
+ yum -y install net-tools wget curl tar unzip mlocate logrotate strace telnet man unzip vim rsyslog cronie krb5-workstation openssl-devel supervisor fontconfig findutils && \
yum -y clean all && \
mkdir -p /opt/tier && \
# Install Trusted Certificates
@@ -69,16 +69,11 @@ RUN update-ca-trust extract
# To keep it commented, keep multiple comments on the following line (to prevent other scripts from processing it).
##### ENV TIER_BEACON_OPT_OUT True
-# Install Corretto Java JDK
-#Corretto download page: https://docs.aws.amazon.com/corretto/latest/corretto-17-ug/downloads-list.html
-ARG CORRETTO_URL_PERM=https://corretto.aws/downloads/latest/amazon-corretto-17-x64-linux-jdk.rpm
-ARG CORRETTO_RPM=amazon-corretto-17-x64-linux-jdk.rpm
-COPY container_files/java-corretto/corretto-signing-key.pub .
-RUN curl -O -L $CORRETTO_URL_PERM \
- && rpm --import corretto-signing-key.pub \
- && rpm -K $CORRETTO_RPM \
- && rpm -i $CORRETTO_RPM \
- && rm -r corretto-signing-key.pub $CORRETTO_RPM
+
+# Install Corretto Java JDK (from Amazon repo, more arch independent)
+RUN rpm --import https://yum.corretto.aws/corretto.key \
+ && curl -L -o /etc/yum.repos.d/corretto.repo https://yum.corretto.aws/corretto.repo \
+ && yum install -y java-17-amazon-corretto-devel
ENV JAVA_HOME=/usr/lib/jvm/java-17-amazon-corretto
# Copy IdP installer properties file(s)
@@ -98,27 +93,28 @@ RUN mkdir -p /tmp/shibboleth && cd /tmp/shibboleth && \
# Install
cd /tmp/shibboleth/$SHIB_PREFIX && \
./bin/install.sh \
- --propertyFile /tmp/idp.installer.properties \
--noPrompt true \
+ --propertyFile /tmp/idp.installer.properties && \
+
# Cleanup
cd ~ && \
rm -rf /tmp/shibboleth
# Install tomcat
RUN mkdir -p "$CATALINA_HOME" && set -x \
- && wget -q -O $CATALINA_HOME/tomcat.tar.gz "$TOMCAT_TGZ_URL" \
- && wget -q -O $CATALINA_HOME/tomcat.tar.gz.asc "$TOMCAT_TGZ_URL.asc" \
- && wget -q -O $CATALINA_HOME/KEYS "https://www.apache.org/dist/tomcat/tomcat-$TOMCAT_MAJOR/KEYS" \
- && gpg --import $CATALINA_HOME/KEYS \
- && gpg $CATALINA_HOME/tomcat.tar.gz.asc \
+ && curl -s -o $CATALINA_HOME/tomcat.tar.gz "$TOMCAT_TGZ_URL" \
+ && curl -s -o $CATALINA_HOME/tomcat.tar.gz.asc "$TOMCAT_TGZ_URL.asc" \
+ && curl -s -L -o $CATALINA_HOME/KEYS "https://www.apache.org/dist/tomcat/tomcat-$TOMCAT_MAJOR/KEYS" \
+ && gpg --import $CATALINA_HOME/KEYS \
+ && gpg $CATALINA_HOME/tomcat.tar.gz.asc \
&& gpg --batch --verify $CATALINA_HOME/tomcat.tar.gz.asc $CATALINA_HOME/tomcat.tar.gz \
&& tar -xvf $CATALINA_HOME/tomcat.tar.gz -C $CATALINA_HOME --strip-components=1 \
&& rm $CATALINA_HOME/bin/*.bat \
- && rm $CATALINA_HOME/tomcat.tar.gz* \
- && mkdir -p $CATALINA_HOME/conf/Catalina \
- && rm -rf /usr/local/tomcat/webapps/* \
- && ln -s /opt/shibboleth-idp/war/idp.war $CATALINA_HOME/webapps/idp.war
-
+ && rm $CATALINA_HOME/tomcat.tar.gz*
+RUN mkdir -p $CATALINA_HOME/conf/Catalina \
+ && rm -rf /usr/local/tomcat/webapps/* \
+ && ln -s /opt/shibboleth-idp/war/idp.war $CATALINA_HOME/webapps/idp.war
+
ADD container_files/idp/idp.xml /usr/local/tomcat/conf/Catalina/idp.xml
ADD container_files/tomcat/server.xml /usr/local/tomcat/conf/server.xml
@@ -129,12 +125,9 @@ ADD container_files/tomcat/jakarta.servlet.jsp.jstl-2.0.0.jar /usr/local/tomcat/
ADD container_files/tomcat/jakarta.servlet.jsp.jstl-api-2.0.0.jar /usr/local/tomcat/lib/
#use log4j for tomcat logging
-#ADD https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.17.2/log4j-core-2.17.2.jar /usr/local/tomcat/bin/
-COPY container_files/tomcat/log4j-core-2.17.2.jar /usr/local/tomcat/bin/
-#ADD https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api/2.17.2/log4j-api-2.17.2.jar /usr/local/tomcat/bin/
-COPY container_files/tomcat/log4j-api-2.17.2.jar /usr/local/tomcat/bin/
-#ADD https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-jul/2.17.2/log4j-jul-2.17.2.jar /usr/local/tomcat/bin/
-COPY container_files/tomcat/log4j-jul-2.17.2.jar /usr/local/tomcat/bin/
+ADD https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-core/2.18.0/log4j-core-2.18.0.jar /usr/local/tomcat/bin/
+ADD https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-api/2.18.0/log4j-api-2.18.0.jar /usr/local/tomcat/bin/
+ADD https://repo1.maven.org/maven2/org/apache/logging/log4j/log4j-jul/2.18.0/log4j-jul-2.18.0.jar /usr/local/tomcat/bin/
RUN cd /usr/local/tomcat/; \
chmod +r bin/log4j-*.jar;
@@ -142,7 +135,6 @@ ADD container_files/tomcat/log4j2.xml /usr/local/tomcat/conf/
ADD container_files/tomcat/setenv.sh /usr/local/tomcat/bin/
RUN mkdir -p /usr/local/tomcat/webapps/ROOT
ADD container_files/tomcat/robots.txt /usr/local/tomcat/webapps/ROOT
-#ADD container_files/tomcat/keystore.jks /opt/certs/
ADD container_files/tomcat/idp-default.key /opt/certs/
ADD container_files/tomcat/idp-default.crt /opt/certs/
@@ -170,6 +162,9 @@ RUN mkdir -p /etc/supervisor/conf.d && chmod +x /opt/tier/setenv.sh \
#set cron to not require a login session
RUN sed -i '/session required pam_loginuid.so/c\#session required pam_loginuid.so' /etc/pam.d/crond
+#upgrade pip to remove sec vuln
+#RUN pip3 install --upgrade pip
+
# Expose the port tomcat will be serving on
EXPOSE 443
diff --git a/Jenkinsfile b/Jenkinsfile
index 4ac70a4..afb1619 100644
--- a/Jenkinsfile
+++ b/Jenkinsfile
@@ -1,104 +1,192 @@
-// Licensed to the University Corporation for Advanced Internet Development,
-// Inc. (UCAID) under one or more contributor license agreements. See the
-// NOTICE file distributed with this work for additional information regarding
-// copyright ownership. The UCAID licenses this file to You under the Apache
-// License, Version 2.0 (the "License"); you may not use this file except in
-// compliance with the License. You may obtain a copy of the License at
-//
-// http://www.apache.org/licenses/LICENSE-2.0
-//
-// Unless required by applicable law or agreed to in writing, software
-//distributed under the License is distributed on an "AS IS" BASIS,
-// WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
-// See the License for the specific language governing permissions and
-// limitations under the License.
-//
-node('docker') {
- stage 'Checkout'
+pipeline {
+ agent { node { label 'docker-multi-arch' } }
+ environment {
+ maintainer = "t"
+ imagename = 's'
+ tag = 'l'
+ DOCKERHUBPW=credentials('tieradmin-dockerhub-pw')
- checkout scm
-
- stage 'Acquire util files'
-
- sh 'mkdir -p tmp && mkdir -p bin'
- dir('tmp'){
- git([ url: "https://github.internet2.edu/docker/util.git",
- credentialsId: "jenkins-github-access-token" ])
- sh 'rm -rf ../bin/*'
- sh 'mv ./bin/* ../bin/.'
- }
- sh 'rm -rf tmp'
-
- stage 'Setting build context'
-
- def maintainer = maintainer()
- def previous_maintainer = previous_maintainer()
- def imagename = imagename()
- def tag
-
- // Tag images created on master branch with 'latest'
- if(env.BRANCH_NAME == "master"){
- tag = "latest"
- }else{
- tag = env.BRANCH_NAME
}
-
- if(!imagename){
- echo "You must define an imagename in common.bash"
- currentBuild.result = 'FAILURE'
- }
- if(maintainer){
- echo "Building ${imagename}:${tag} for ${maintainer}"
- }
-
- stage 'Build'
-
- try{
- sh 'bin/rebuild.sh &> debug'
- } catch(error) {
- def error_details = readFile('./debug');
- def message = "BUILD ERROR: There was a problem building ${imagename}:${tag}. \n\n ${error_details}"
- sh "rm -f ./debug"
- handleError(message)
+ stages {
+ stage('Setting build context') {
+ steps {
+ script {
+ maintainer = maintain()
+ imagename = imagename()
+ if(env.BRANCH_NAME == "master") {
+ tag = "latest"
+ } else {
+ tag = env.BRANCH_NAME
+ }
+ if(!imagename){
+ echo "You must define an imagename in common.bash"
+ currentBuild.result = 'FAILURE'
+ }
+ sh 'mkdir -p tmp && mkdir -p bin'
+ dir('tmp'){
+ git([ url: "https://github.internet2.edu/docker/util.git", credentialsId: "jenkins-github-access-token" ])
+ sh 'rm -rf ../bin/*'
+ sh 'mv ./bin/* ../bin/.'
+ }
+ // Build and test scripts expect that 'tag' is present in common.bash. This is necessary for both Jenkins and standalone testing.
+ // We don't care if there are more 'tag' assignments there. The latest one wins.
+ sh "echo >> common.bash ; echo \"tag=\\\"${tag}\\\"\" >> common.bash ; echo common.bash ; cat common.bash"
+ }
+ }
+ }
+ stage('Clean') {
+ steps {
+ script {
+ try{
+ sh 'bin/destroy.sh >> debug'
+ } catch(error) {
+ def error_details = readFile('./debug');
+ def message = "BUILD ERROR: There was a problem building the Base Image. \n\n ${error_details}"
+ sh "rm -f ./debug"
+ handleError(message)
+ }
+ }
+ }
+ }
+ stage('Build') {
+ steps {
+ script {
+ try{
+ sh 'docker login -u tieradmin -p $DOCKERHUBPW'
+ // fails if already exists
+ // sh 'docker buildx create --use --name multiarch --append'
+ sh 'docker buildx inspect --bootstrap'
+ sh 'docker buildx ls'
+ sh "docker buildx build --platform linux/amd64 -t ${imagename}_${tag} --load ."
+ sh "docker buildx build --platform linux/arm64 -t ${imagename}_${tag}:arm64 --load ."
+ } catch(error) {
+ def error_details = readFile('./debug');
+ def message = "BUILD ERROR: There was a problem building ${maintainer}/${imagename}:${tag}. \n\n ${error_details}"
+ sh "rm -f ./debug"
+ handleError(message)
+ }
+ }
+ }
+ }
+ stage('Test') {
+ steps {
+ script {
+ try {
+ echo "Starting tests..."
+ sh 'bats tests'
+ // echo "Skipping tests for now"
+ } catch (error) {
+ def error_details = readFile('./debug')
+ def message = "BUILD ERROR: There was a problem testing ${maintainer}/${imagename}:${tag}. \n\n ${error_details}"
+ sh "rm -f ./debug"
+ handleError(message)
+ }
+ }
+ }
+ }
+ stage('Scan') {
+ steps {
+ script {
+ try {
+ echo "Starting security scan..."
+ // Install trivy and HTML template
+ sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/install.sh | sh -s -- -b /usr/local/bin v0.31.1'
+ sh 'curl -sfL https://raw.githubusercontent.com/aquasecurity/trivy/main/contrib/html.tpl > html.tpl'
+
+ // Scan container for all vulnerability levels
+ echo "Scanning for all vulnerabilities..."
+ sh 'mkdir -p reports'
+ // 2 commented scans below are OS-only, in case timeout issues occur
+ sh "trivy image --timeout 10m --ignore-unfixed --vuln-type os,library --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan.html ${imagename}_${tag}"
+ // sh "trivy image --ignore-unfixed --vuln-type os --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan.html ${imagename}_${tag}"
+ sh "trivy image --timeout 10m --ignore-unfixed --vuln-type os,library --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan-arm.html ${imagename}_${tag}:arm64"
+ // sh "trivy image --ignore-unfixed --vuln-type os --severity CRITICAL,HIGH --no-progress --security-checks vuln --format template --template '@html.tpl' -o reports/container-scan-arm.html ${imagename}_${tag}:arm64"
+ publishHTML target : [
+ allowMissing: true,
+ alwaysLinkToLastBuild: true,
+ keepAll: true,
+ reportDir: 'reports',
+ reportFiles: 'container-scan.html',
+ reportName: 'Security Scan',
+ reportTitles: 'Security Scan'
+ ]
+ publishHTML target : [
+ allowMissing: true,
+ alwaysLinkToLastBuild: true,
+ keepAll: true,
+ reportDir: 'reports',
+ reportFiles: 'container-scan-arm.html',
+ reportName: 'Security Scan (ARM)',
+ reportTitles: 'Security Scan (ARM)'
+ ]
+ // Scan again and fail on CRITICAL vulns
+ //below can be temporarily commented to prevent build from failing
+ echo "Scanning for CRITICAL vulnerabilities only (fatal)..."
+ // 2 scans below are temp (os scan only, no lib scan), while timeout issues are worked
+ // sh "trivy image --ignore-unfixed --vuln-type os,library --exit-code 1 --severity CRITICAL ${imagename}_${tag}"
+ // sh "trivy image --ignore-unfixed --vuln-type os,library --exit-code 1 --severity CRITICAL ${imagename}_${tag}:arm64"
+ sh "trivy image --ignore-unfixed --vuln-type os --exit-code 1 --severity CRITICAL ${imagename}_${tag}"
+ sh "trivy image --ignore-unfixed --vuln-type os --exit-code 1 --severity CRITICAL ${imagename}_${tag}:arm64"
+ //echo "Skipping scan for CRITICAL vulnerabilities (temporary)..."
+ } catch(error) {
+ def error_details = readFile('./debug');
+ def message = "BUILD ERROR: There was a problem scanning ${imagename}:${tag}. \n\n ${error_details}"
+ sh "rm -f ./debug"
+ handleError(message)
+ }
+ }
+ }
+ }
+ stage('Push') {
+ steps {
+ script {
+ sh 'docker login -u tieradmin -p $DOCKERHUBPW'
+ // fails if already exists
+ // sh 'docker buildx create --use --name multiarch --append'
+ sh 'docker buildx inspect --bootstrap'
+ sh 'docker buildx ls'
+ echo "Pushing image to dockerhub..."
+ sh "docker buildx build --push --platform linux/arm64,linux/amd64 -t ${maintainer}/${imagename}:${tag} ."
+ }
+ }
+ }
+ stage('Cleanup') {
+ steps {
+ script {
+ try{
+ echo "Cleaning up artifacts from the build..."
+ sh 'tests/cleanup.sh'
+ } catch(error) {
+ def error_details = readFile('./debug');
+ def message = "BUILD ERROR: There was a problem with cleanup of the image. \n\n ${error_details}"
+ sh "rm -f ./debug"
+ handleError(message)
+ }
+ }
+ }
+ }
+ stage('Notify') {
+ steps{
+ echo "$maintainer"
+ slackSend color: 'good', message: "$maintainer/$imagename:$tag pushed to DockerHub"
+ }
+ }
}
-
- stage 'Test'
-
- try {
- sh 'bin/test.sh 2>&1 | tee debug ; test ${PIPESTATUS[0]} -eq 0'
- } catch (error) {
- def error_details = readFile('./debug')
- def message = "BUILD ERROR: There was a problem testing ${imagename}:${tag}. \n\n ${error_details}"
- sh "rm -f ./debug"
- handleError(message)
- }
-
- stage 'Push'
-
- docker.withRegistry('https://registry.hub.docker.com/', "dockerhub-$previous_maintainer") {
- def baseImg = docker.build("$maintainer/$imagename")
- baseImg.push("$tag")
+ post {
+ always {
+ echo 'Done Building.'
+ }
+ failure {
+ // slackSend color: 'good', message: "Build failed"
+ handleError("BUILD ERROR: There was a problem building ${maintainer}/${imagename}:${tag}.")
+ }
}
-
- docker.withRegistry('https://registry.hub.docker.com/', "dockerhub-$previous_maintainer") {
- def altImg = docker.build("$previous_maintainer/$imagename")
- altImg.push("$tag")
- }
-
- stage 'Notify'
-
- slackSend color: 'good', message: "$maintainer/$imagename:$tag pushed to DockerHub"
-
}
-def maintainer() {
- def matcher = readFile('common.bash') =~ 'maintainer="(.+)"'
- matcher ? matcher[0][1] : 'i2incommon'
-}
-def previous_maintainer() {
- def matcher = readFile('common.bash') =~ 'previous_maintainer="(.+)"'
+def maintain() {
+ def matcher = readFile('common.bash') =~ 'maintainer="(.+)"'
matcher ? matcher[0][1] : 'tier'
}
@@ -110,7 +198,8 @@ def imagename() {
def handleError(String message){
echo "${message}"
currentBuild.setResult("FAILED")
- slackSend color: 'danger', message: "${message} (<${env.BUILD_URL}|Open>)"
+ slackSend color: 'danger', message: "${message}"
+ //step([$class: 'Mailer', notifyEveryUnstableBuild: true, recipients: 'pcaskey@internet2.edu', sendToIndividuals: true])
sh 'exit 1'
}
diff --git a/container_files/tomcat/keystore.jks b/container_files/tomcat/keystore.jks
deleted file mode 100644
index 6a28c4f..0000000
Binary files a/container_files/tomcat/keystore.jks and /dev/null differ
diff --git a/test-compose/idp/Dockerfile b/test-compose/idp/Dockerfile
index fe4f979..85006cb 100644
--- a/test-compose/idp/Dockerfile
+++ b/test-compose/idp/Dockerfile
@@ -1,4 +1,4 @@
-FROM i2incommon/shib-idp:latest
+FROM i2incommon/shib-idp:latest5
# The build args below can be used at build-time to tell the build process where to find your config files. This is for a completely burned-in config.
ARG TOMCFG=config/tomcat
diff --git a/test-compose/idp/container_files/config/tomcat/server.xml b/test-compose/idp/container_files/config/tomcat/server.xml
index b837d9e..9b26840 100644
--- a/test-compose/idp/container_files/config/tomcat/server.xml
+++ b/test-compose/idp/container_files/config/tomcat/server.xml
@@ -4,12 +4,12 @@
-
+
+ certificateFile="/opt/certs/idp-default.crt"
+ certificateKeyFile="/opt/certs/idp-default.key" />
+
diff --git a/test-compose/webisoget/Dockerfile b/test-compose/webisoget/Dockerfile
new file mode 100644
index 0000000..dadf692
--- /dev/null
+++ b/test-compose/webisoget/Dockerfile
@@ -0,0 +1,10 @@
+FROM rockylinux:8.6
+
+RUN yum -y install libtool autoconf automake gcc make libcurl-devel openssl-devel git
+
+RUN cd /; git clone https://github.com/UWIT-IAM/webisoget; cd /webisoget; bash ./boot;./configure --disable-dependency-tracking;make;make install
+
+COPY sptest.login /webisoget
+
+#ENTRYPOINT ["usr/local/bin/webisoget"]
+CMD ["tail", "-f", "/dev/null"]
diff --git a/test-compose/webisoget/sptest.login b/test-compose/webisoget/sptest.login
new file mode 100644
index 0000000..f41b11c
--- /dev/null
+++ b/test-compose/webisoget/sptest.login
@@ -0,0 +1,3 @@
+name=; domain=idp.example.edu; j_username=kwhite; j_password=password;
+name=shibboleth;
+name=form1;submit_value=Continue;
diff --git a/tests/cleanup.sh b/tests/cleanup.sh
new file mode 100755
index 0000000..98f3b37
--- /dev/null
+++ b/tests/cleanup.sh
@@ -0,0 +1,19 @@
+#!/bin/bash
+
+. ./common.bash
+
+result=$(docker ps -a | grep ${imagename}_${tag})
+if [ ! -z "$result" ]; then
+ echo "removing existing containers"
+ docker rm -f $(docker ps -a | grep ${imagename}_${tag} | awk '{print $1}')
+fi
+docker rmi -f ${imagename}_${tag}
+
+result2=$(docker ps -a | grep ${imagename}_${tag}:arm64)
+if [ ! -z "$result2" ]; then
+ echo "removing existing containers"
+ docker rm -f $(docker ps -a | grep ${imagename}_${tag}:arm64 | awk '{print $1}')
+fi
+docker rmi -f ${imagename}_${tag}:arm64
+
+
diff --git a/tests/fulltest.sh b/tests/fulltest.sh
index 40d7d0a..9f0814b 100755
--- a/tests/fulltest.sh
+++ b/tests/fulltest.sh
@@ -1,4 +1,7 @@
#!/bin/bash
+echo "Starting fulltest.sh script..."
+
+. ./common.bash
pushd test-compose &>/dev/null
echo "Launching fresh containers..."
@@ -12,38 +15,34 @@ sleep 60
pushd tests &>/dev/null
rm -f ./lastpage.txt
-#ensure webisoget is installed
-echo "ensuring that webisoget is installed..."
-rpm -q webisoget &>/dev/null
-if [ $? -ne '0' ]; then
- echo "downloading webisoget rpm"
- curl -s -L -o webisoget-2.8.7-1.x86_64.rpm https://github.internet2.edu/docker/util/blob/master/bin/webisoget-2.8.7-1.x86_64.rpm?raw=true
- if [ -s webisoget-2.8.7-1.x86_64.rpm ]; then
- echo "installing rpm..."
- sudo rpm -ivh webisoget-2.8.7-1.x86_64.rpm
- rm -f webisoget-2.8.7-1.x86_64.rpm
- else
- echo "can't get webisoget rpm..."
- exit 1
- fi
-else
- echo "webisoget already installed..."
-fi
-
#ensure that name resolution is in place
ping -c 1 sptest.example.edu &>/dev/null
if [ $? -ne '0' ]; then
- echo "adding hosts record for sp..."
- echo '127.0.0.1 sptest.example.edu' | sudo tee -a /etc/hosts
+ echo "ERROR: You must set name resolution for the IdP test suite on this host for tests to completei (SP missing)"
+ exit 1
+# echo "adding hosts record for sp..."
+# echo '127.0.0.1 sptest.example.edu' | sudo tee -a /etc/hosts
fi
ping -c 1 idp.example.edu &>/dev/null
if [ $? -ne '0' ]; then
- echo "adding hosts record for idp..."
- echo '127.0.0.1 idp.example.edu' | sudo tee -a /etc/hosts
+ echo "ERROR: You must set name resolution for the IdP test suite on this host for tests to completei (IdP missing)"
+ exit 1
+# echo "adding hosts record for idp..."
+# echo '127.0.0.1 idp.example.edu' | sudo tee -a /etc/hosts
fi
+# replace FROM line in IdP Dockerfile to newly-built local image
+echo "Setting test suite to base from new IdP image: ${imagename}_${tag}"
+sed -i "s*FROM i2incommon/shib-idp:latest5*FROM ${imagename}_${tag}*g" ../test-compose/idp/Dockerfile
+
echo "Attempting full-cycle test..."
-webisoget -verbose -out ./lastpage.txt -formfile ./sptest.login -url https://sptest.example.edu:8443/secure/index.php
+
+#build webisoget container
+pushd ../test-compose/webisoget/ &>/dev/null
+docker build -t webisoget .
+popd &>/dev/null
+
+docker run --net host -w /webisoget/ -i webisoget /bin/bash -c "rm -f lastpage.txt & webisoget -out ./lastpage.txt -maxhop 100 -timeout 120 -formfile /webisoget/sptest.login -url https://sptest.example.edu:8443/secure/index.php && cat lastpage.txt" > lastpage.txt
if [ -s ./lastpage.txt ]; then
cat lastpage.txt | grep kwhite@example.edu &>/dev/null
diff --git a/tests/main.bats b/tests/main.bats
index 4fa64f1..75a5d29 100644
--- a/tests/main.bats
+++ b/tests/main.bats
@@ -3,11 +3,11 @@
load ../common
@test "010 Image is present and healthy" {
- docker image inspect ${maintainer}/${imagename}
+ docker image inspect ${imagename}_${tag}
}
@test "020 All key files are present" {
- docker run --rm -i ${maintainer}/${imagename} \
+ docker run --rm -i ${imagename}_${tag} \
find \
/opt/shibboleth-idp/credentials/idp-encryption.crt \
/opt/shibboleth-idp/credentials/idp-encryption.key \
@@ -18,10 +18,10 @@ load ../common
}
@test "030 Port 443/https is listening" {
- docker run -d ${maintainer}/${imagename}
+ docker run -d ${imagename}_${tag}
sleep 25
#get cont id
- contid=$(docker ps | grep ${maintainer}/${imagename} | cut -f 1 -d ' ')
+ contid=$(docker ps | grep ${imagename}_${tag} | cut -f 1 -d ' ')
run docker exec -i ${contid} sh -c 'cat < /dev/null > /dev/tcp/127.0.0.1/443'
docker kill ${contid} &>/dev/null
docker rm ${contid} &>/dev/null
@@ -29,9 +29,9 @@ load ../common
}
@test "040 The IdP Status page is present" {
- docker run -d ${maintainer}/${imagename}
+ docker run -d ${imagename}_${tag}
sleep 60
- contid2=$(docker ps | grep ${maintainer}/${imagename} | cut -f 1 -d ' ')
+ contid2=$(docker ps | grep ${imagename}_${tag} | cut -f 1 -d ' ')
run docker exec -i ${contid2} sh -c 'curl -I -k -s -f https://127.0.0.1/idp/status'
docker kill ${contid2} &>/dev/null
docker rm ${contid2} &>/dev/null
@@ -39,18 +39,14 @@ load ../common
}
@test "050 The version of Tomcat is current" {
- ./tests/checktomcatver.sh ${maintainer}/${imagename}
+ ./tests/checktomcatver.sh ${imagename}_${tag}
}
@test "060 The version of the IdP is current" {
- ./tests/checkidpver.sh ${maintainer}/${imagename}
+ ./tests/checkidpver.sh ${imagename}_${tag}
}
-@test "070 There are no known security vulnerabilities" {
- ./tests/clairscan.sh ${maintainer}/${imagename}:latest
-}
-
-@test "080 The IdP successfully completed a full-cycle test with an SP" {
+@test "070 The IdP successfully completed a full-cycle test with an SP" {
./tests/fulltest.sh
}