merge latest5 branch

Dockerfile

@@ -1,16 +1,16 @@
-FROM --platform=$TARGETPLATFORM rockylinux:8.9
+FROM --platform=$TARGETPLATFORM rockylinux/rockylinux:8.10
 
 ########################
 ### VERSION SETTINGS ###
 ########################
 #
 ##tomcat \
 ENV TOMCAT_MAJOR=10 \
-    TOMCAT_VERSION=10.1.18 \
+    TOMCAT_VERSION=10.1.30 \
 ##shib-idp \
-    VERSION=5.0.0 \
+    VERSION=5.1.3 \
 ##TIER \
-    TIERVERSION=20240124_rocky8_multiarch \
+    TIERVERSION=20240930_rocky8_multiarch \
 #################### \
 #### OTHER VARS #### \
 #################### \
@@ -95,7 +95,6 @@ RUN mkdir -p /tmp/shibboleth && cd /tmp/shibboleth && \
 	./bin/install.sh \
         --noPrompt true \
       	--propertyFile /tmp/idp.installer.properties && \
-
 # Cleanup
     cd ~ && \
     rm -rf /tmp/shibboleth

container_files/idp/idp.installer.properties

@@ -1,4 +1,4 @@
-idp.src.dir=/tmp/shibboleth/shibboleth-identity-provider-5.0.0
+idp.src.dir=/tmp/shibboleth/shibboleth-identity-provider-5.1.3
 idp.target.dir=/opt/shibboleth-idp
 idp.host.name=idp.example.org
 idp.sealer.password=changeit

container_files/idp/rotateSealerKey.sh

@@ -16,22 +16,17 @@ then
     exit 1
  fi
 
- # Default JAVA_HOME if not already set
- if [ -d "${JAVA_HOME:=/usr}" ]
- then
-    export JAVA_HOME=${JAVA_HOME:=/usr}
- else
-    echo "ERROR: JAVA_HOME Directory does not exist: ${JAVA_HOME:=/usr}" >&2
-    exit 1
- fi
-
  function get_config {
     # Key to lookup (escape . for regex lookup)
     local KEY=${1:?"No key provided to look up value"}
     # Passed default value
     local DEFAULT="${2:-}"
     # Lookup key, strip spaces, replace idp.home with IDP_HOME value
     local RESULT=$(sed -rn '/^'"${KEY//./\\.}"'\s*=/ { s|^[^=]*=(.*)\s*$|\1|; s|%\{idp\.home\}|'"${IDP_HOME}"'|g; p}' ${IDP_HOME}/conf/idp.properties)
+    if [ -z "$RESULT" ]
+    then
+       local RESULT=$(sed -rn '/^'"${KEY//./\\.}"'\s*=/ { s|^[^=]*=(.*)\s*$|\1|; s|%\{idp\.home\}|'"${IDP_HOME}"'|g; p}' ${IDP_HOME}/credentials/secrets.properties)
+    fi
     # Set if no result with default - exit if no default
     echo ${RESULT:-${DEFAULT:?"No value in config and no default defined for: '${KEY}'"}}
  }
@@ -48,12 +43,19 @@ then
  sync_hosts=$(get_config idp.sealer._sync_hosts ${HOSTNAME})
 
  # Run the keygen utility
- ${0%/*}/runclass.sh net.shibboleth.utilities.java.support.security.BasicKeystoreKeyStrategyTool \
-    --storefile "${storefile}" \
-    --storepass "${storepass}" \
-    --versionfile "${versionfile}" \
-    --alias "${alias}" \
-    --count "${count}"
+ ${0%/*}/seckeygen.sh \
+     --storefile "${storefile}" \
+     --storepass "${storepass}" \
+     --versionfile "${versionfile}" \
+     --alias "${alias}" \
+     --count "${count}"
+
+# ${0%/*}/runclass.sh net.shibboleth.utilities.java.support.security.BasicKeystoreKeyStrategyTool \
+#    --storefile "${storefile}" \
+#    --storepass "${storepass}" \
+#    --versionfile "${versionfile}" \
+#    --alias "${alias}" \
+#    --count "${count}"
 
  # Display current version
  echo "INFO: $(tac "${versionfile}" | tr "\n" " ")" >&2
@@ -73,3 +75,4 @@ then
  done
 
 fi
+

test-compose/data/Dockerfile

@@ -1,19 +1,24 @@
-FROM centos:centos7
+FROM rockylinux:8.9
 
 LABEL author="tier-packaging@internet2.edu <tier-packaging@internet2.edu>"
 
 # Set UTC Timezone & Networking
 RUN ln -sf /usr/share/zoneinfo/UTC /etc/localtime \
     && echo "NETWORKING=yes" > /etc/sysconfig/network
 
-# Install base deps
-RUN rm -fr /var/cache/yum/* && yum clean all && yum -y update && yum -y install --setopt=tsflags=nodocs epel-release && \
-    yum -y install 389-ds-base 389-admin 389-adminutil net-tools wget curl tar unzip mlocate logrotate strace telnet man unzip vim wget rsyslog cronie krb5-workstation openssl-devel wget supervisor && \
-    yum -y clean all && \
-    mkdir -p /opt/tier && \
-# Install Trusted Certificates
-    update-ca-trust force-enable
-
+RUN dnf module enable -y php:7.4
+RUN yum install -y epel-release \
+    && yum update -y \
+    && yum install -y phpldapadmin mod_ssl net-tools wget epel-release yum-utils php php-common php-opcache php-cli php-gd mod_php php-pgsql php-curl php-zip php-mbstring \
+    && yum clean all \
+    && rm -rf /var/cache/yum
+RUN yum module enable -y 389-ds:1.4
+RUN yum install -y 389-ds-base 389-ds-base-devel 389-ds-base-legacy-tools
+RUN yum install --allowerasing -y curl-full libcurl-full
+RUN rpm -Uvh https://rpms.remirepo.net/enterprise/remi-release-8.9.rpm
+RUN yum --enablerepo=remi,remi-test  install -y phpMyAdmin
+RUN yum install -y php71-php-mcrypt
+
 COPY container_files/seed-data/ /seed-data/
 
 RUN useradd ldapadmin \
@@ -25,17 +30,23 @@ RUN useradd ldapadmin \
     # Do not restart at the end \
     && sed -i '/if (@errs = startServer($inf))/,/}/d' /usr/lib64/dirsrv/perl/* \
     && setup-ds.pl --silent --file /seed-data/ds-setup.inf \
-    && /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-dir \ 
+    && /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-dir \
     && while ! curl -s ldap://localhost:389 > /dev/null; do echo waiting for ldap to start; sleep 1; done; \
-    ldapadd -H ldap:/// -f /seed-data/users.ldif -x -D "cn=Directory Manager" -w password
+    ldapadd -H ldap:/// -f /seed-data/data.ldif -x -D "cn=Directory Manager" -w password \
+    && ldapmodify -H ldap:/// -f /seed-data/edumember-obj.ldif -x -D "cn=Directory Manager" -w password \
+    && ldapmodify -H ldap:/// -f /seed-data/ldappublickey-obj.ldif -x -D "cn=Directory Manager" -w password \
+    && ldapmodify -H ldap:/// -f /seed-data/voperson-obj.ldif -x -D "cn=Directory Manager" -w password \
+    && ldapmodify -H ldap:/// -f /seed-data/voposixaccount-obj.ldif -x -D "cn=Directory Manager" -w password \
+    && ldapadd -c -H ldap:/// -f /seed-data/users.ldif -x -D "cn=Directory Manager" -w password
 
-RUN (/usr/sbin/ns-slapd -D /etc/dirsrv/slapd-dir &) \
-    && while ! curl -s ldap://localhost:389 > /dev/null; do echo waiting for ldap to start; sleep 1; done;
+RUN openssl req -new -nodes -newkey rsa:2048 -subj "/commonName=localhost.localdomain" -batch -keyout /etc/pki/tls/private/localhost.key -out localhost.csr
+RUN openssl x509 -req -days 1825 -in localhost.csr -signkey /etc/pki/tls/private/localhost.key -out /etc/pki/tls/certs/localhost.crt
+RUN mkdir -p /run/php-fpm/
 
 EXPOSE 389
 
 HEALTHCHECK --interval=1m --timeout=10s \
   CMD cat < /dev/null > /dev/tcp/127.0.0.1/389 || exit 1
 
-CMD /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-dir && tail -F /var/log/dirsrv/slapd-dir/errors
+CMD rm -rf /var/lock/dirsrv/slapd-dir/server/* && /usr/sbin/ns-slapd -D /etc/dirsrv/slapd-dir && php-fpm -D && httpd -DFOREGROUND && sleep infinity
 

test-compose/data/container_files/seed-data/data.ldif

@@ -0,0 +1,69 @@
+dn: cn=admin,dc=internet2,dc=edu
+objectClass: simpleSecurityObject
+objectClass: organizationalRole
+cn: admin
+userPassword: password
+description: LDAP administrator
+
+dn: uid=banderson,ou=People,dc=internet2,dc=edu
+objectClass: eduPerson
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: person
+objectClass: top
+cn: Bob Anderson
+sn: Anderson
+givenName: Bob
+userPassword: password
+description: LDAP administrator
+
+dn: ou=Affiliations,ou=Groups,dc=internet2,dc=edu
+objectClass: top
+objectClass: organizationalUnit
+ou: Affiliations
+
+dn: ou=Courses,ou=Groups,dc=internet2,dc=edu
+objectClass: top
+objectClass: organizationalUnit
+ou: Courses
+
+dn: ou=midpoint,ou=Groups,dc=internet2,dc=edu
+objectClass: top
+objectClass: organizationalUnit
+ou: midpoint
+
+dn: ou=Generic,ou=Groups,dc=internet2,dc=edu
+objectClass: top
+objectClass: organizationalUnit
+ou: Generic
+
+dn: cn=users,ou=Groups,dc=internet2,dc=edu
+objectClass: groupOfUniqueNames
+objectClass: top
+uniqueMember: uid=banderson,ou=People,dc=internet2,dc=edu
+cn: users
+
+dn: cn=sysadmingroup,ou=midpoint,ou=Groups,dc=internet2,dc=edu
+objectClass: groupOfUniqueNames
+objectClass: top
+uniqueMember: uid=banderson,ou=People,dc=internet2,dc=edu
+cn: sysadmingroup
+
+dn: ou=Guests,dc=internet2,dc=edu
+objectClass: top
+objectClass: organizationalUnit
+ou: Guests
+
+dn: uid=aguest,ou=Guests,dc=internet2,dc=edu
+objectClass: eduPerson
+objectClass: inetOrgPerson
+objectClass: organizationalPerson
+objectClass: person
+objectClass: top
+cn: Andy Guest
+sn: Aguest
+mail: andyaguestcspuser@workbench.incommon.org
+givenName: Andy
+userPassword: password
+description: A guest user
+

test-compose/data/container_files/seed-data/ds-setup.inf

@@ -16,7 +16,7 @@ ServerIpAddress = 0.0.0.0
 SysUser = nobody
 
 [slapd]
-AddOrgEntries = Yes
+AddOrgEntries = No
 AddSampleEntries = No
 InstallLdifFile = suggest
 RootDN = cn=Directory Manager

test-compose/data/container_files/seed-data/edumember-obj.ldif

@@ -0,0 +1,30 @@
+#
+# eduMember Objectclass
+#
+#
+# "eduMember" attributes
+#
+dn: cn=schema
+changetype: modify
+#
+add: attributetypes
+attributeTypes: ( 1.3.6.1.4.1.5923.1.5.1.1 
+ NAME 'isMemberOf' 
+ DESC 'identifiers for groups to which containing entity belongs' 
+ EQUALITY caseExactMatch 
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+attributeTypes: ( 1.3.6.1.4.1.5923.1.5.1.2 
+ NAME 'hasMember' 
+ DESC 'identifiers for entities that are members of the group' 
+ EQUALITY caseExactMatch 
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.15 )
+-
+#
+add: objectclasses
+objectClasses: ( 1.3.6.1.4.1.5923.1.5.2 NAME 'eduMember' 
+ AUXILIARY 
+ MAY ( isMemberOf $ hasMember ) 
+ )
+#
+# end of LDIF
+#

test-compose/data/container_files/seed-data/ldappublickey-obj.ldif

@@ -0,0 +1,29 @@
+#
+# ldapPublicKey Objectclass
+#
+#
+# ldapPublicKey attribute
+#
+dn: cn=schema
+changetype: modify
+#
+add: attributetypes
+attributeTypes: ( 1.3.6.1.4.1.24552.500.1.1.1.13 
+ NAME 'sshPublicKey' 
+ DESC 'MANDATORY: OpenSSH Public key' 
+ EQUALITY octetStringMatch 
+ SYNTAX 1.3.6.1.4.1.1466.115.121.1.40 )
+-
+#
+add: objectclasses
+objectClasses: ( 1.3.6.1.4.1.24552.500.1.1.2.0 
+ NAME 'ldapPublicKey' 
+ DESC 'MANDATORY: OpenSSH LPK objectclass' 
+ SUP top 
+ AUXILIARY 
+ MUST ( sshPublicKey $ uid ) 
+ )
+#
+# end of LDIF
+#
+

test-compose/data/container_files/seed-data/users.ldif

@@ -1,10 +1,3 @@
-dn: cn=admin,dc=internet2,dc=edu
-objectClass: simpleSecurityObject
-objectClass: organizationalRole
-cn: admin
-userPassword: password
-description: LDAP administrator
-
 dn: uid=jsmith,ou=People,dc=internet2,dc=edu
 objectClass: organizationalPerson
 objectClass: person
@@ -16,29 +9,6 @@ sn: Smith
 cn: John Smith
 userPassword: password
 
-dn: uid=banderson,ou=People,dc=internet2,dc=edu
-objectClass: organizationalPerson
-objectClass: person
-objectClass: top
-objectClass: inetOrgPerson
-givenName: Bob
-uid: banderson
-sn: Anderson
-cn: Bob Anderson
-userPassword: password
-
-dn: cn=users,ou=Groups,dc=internet2,dc=edu
-objectClass: groupOfUniqueNames
-objectClass: top
-uniqueMember: uid=banderson,ou=People,dc=internet2,dc=edu
-uniqueMember: uid=jsmith,ou=People,dc=internet2,dc=edu
-cn: users
-
-
-
-
-
-
 dn: uid=kwhite,ou=People,dc=internet2,dc=edu
 objectClass: organizationalPerson
 objectClass: person