updates

Dockerfile

@@ -14,11 +14,6 @@ LABEL Version=$version
 
 LABEL Build docker build --rm --tag $maintainer/$imagename .
 
-ADD ./container_files/bin/httpd-shib-foreground  /usr/local/bin/
-ADD ./container_files/bin/shibboleth_keygen.sh  /usr/local/bin/
-ADD ./container_files/etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ 
-
-
 RUN ln -sf /usr/share/zoneinfo/UTC /etc/localtime \
     && echo "NETWORKING=yes" > /etc/sysconfig/network
 
@@ -32,17 +27,32 @@ RUN curl -o /etc/yum.repos.d/security:shibboleth.repo \
       && yum clean all \
       && rm /etc/httpd/conf.d/autoindex.conf \
       && rm /etc/httpd/conf.d/userdir.conf \
-      && rm /etc/httpd/conf.d/welcome.conf \
-      && chmod +x /usr/local/bin/httpd-shib-foreground \
-      && chmod +x /usr/local/bin/shibboleth_keygen.sh
+      && rm /etc/httpd/conf.d/welcome.conf
 
 # Export this variable so that shibd can find its CURL library
 RUN LD_LIBRARY_PATH="/opt/shibboleth/lib64"
 RUN export LD_LIBRARY_PATH
 
-# fix shibd.logger, other?.logger
+ADD ./container_files/system/httpd-shib-foreground  /usr/local/bin/
+ADD ./container_files/system/shibboleth_keygen.sh  /usr/local/bin/
+ADD ./container_files/httpd/ssl.conf /etc/httpd/conf.d/
+ADD ./container_files/shibboleth/* /etc/shibboleth/
+
+RUN chmod +x /usr/local/bin/httpd-shib-foreground \
+      && chmod +x /usr/local/bin/shibboleth_keygen.sh
 
 # fix httpd logging to tier format
+RUN sed -i 's/LogFormat "/LogFormat "httpd;access_log;%{ENV}e;%{USERTOKEN}e;/g' /etc/httpd/conf/httpd.conf \
+    && echo -e "\nErrorLogFormat \"httpd;error_log;%{ENV}e;%{USERTOKEN}e;[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i\"" >> /etc/httpd/conf/httpd.conf \
+    && sed -i 's/CustomLog "logs\/access_log"/CustomLog "\/tmp\/logpipe"/g' /etc/httpd/conf/httpd.conf \
+    && sed -i 's/ErrorLog "logs\/error_log"/ErrorLog "\/tmp\/logpipe"/g' /etc/httpd/conf/httpd.conf \
+    && echo -e "\nPassEnv ENV" >> /etc/httpd/conf/httpd.conf \
+    && echo -e "\nPassEnv USERTOKEN" >> /etc/httpd/conf/httpd.conf \
+    && sed -i '/UseCanonicalName/c\UseCanonicalName On' /etc/httpd/conf/httpd.conf
+
+# add a basic page to shibb's default protected directory
+RUN mkdir -p /var/www/html/secure/
+ADD container_files/httpd/index.html /var/www/html/secure/
 
 
 EXPOSE 80 443

README.md

@@ -2,5 +2,4 @@
 
 [![Build Status](https://jenkins.testbed.tier.internet2.edu/buildStatus/icon?job=docker/shib-sp/master)](https://jenkins.testbed.tier.internet2.edu/job/docker/shib-sp/master)
 
-This image is the parent of COmanage and Grouper containers, as it contains the OpenSUSE repositories for shibboleth package management, and an apache installation.
 

bin/ci-run.sh

@@ -3,4 +3,5 @@
 # This file will run a container in the background
 source common.bash .
 
-docker run -d --name=$imagename -p 80:80 -p 443:443 $maintainer/$imagename
+docker run -d --name=$imagename -p 80:80 -p 443:443 $maintainer/$imagename
+

bin/ci-stop.sh

@@ -6,3 +6,4 @@ source common.bash .
 echo "Cleaning up Docker image($maintainer/$imagename)"
 docker stop $imagename >> /dev/null
 docker rm $imagename
+

common.bash

@@ -1,3 +1,3 @@
 maintainer="tier"
 imagename="shibboleth_sp"
-version="2.5.1"
+version="3.0.2"

container_files/httpd/index.html

@@ -0,0 +1,3 @@
+<br />
+<h3>This page is protected by the Shibboleth SP.</h3>
+

container_files/shibboleth/native.logger

@@ -0,0 +1,40 @@
+# set overall behavior
+log4j.rootCategory=INFO, native_log, warn_log
+
+# fairly verbose for DEBUG, so generally leave at INFO
+log4j.category.XMLTooling.XMLObject=INFO
+log4j.category.XMLTooling.KeyInfoResolver=INFO
+log4j.category.Shibboleth.IPRange=INFO
+log4j.category.Shibboleth.PropertySet=INFO
+
+# raise for low-level tracing of SOAP client HTTP/SSL behavior
+log4j.category.XMLTooling.libcurl=INFO
+
+# useful categories to tune independently:
+#
+# tracing of SAML messages and security policies
+#log4j.category.OpenSAML.MessageDecoder=DEBUG
+#log4j.category.OpenSAML.MessageEncoder=DEBUG
+#log4j.category.OpenSAML.SecurityPolicyRule=DEBUG
+# interprocess message remoting
+#log4j.category.Shibboleth.Listener=DEBUG
+# mapping of requests to applicationId
+#log4j.category.Shibboleth.RequestMapper=DEBUG
+# high level session cache operations
+#log4j.category.Shibboleth.SessionCache=DEBUG
+# persistent storage and caching
+#log4j.category.XMLTooling.StorageService=DEBUG
+
+# define the appender
+
+log4j.appender.native_log=org.apache.log4j.FileAppender
+log4j.appender.native_log.fileName=/tmp/logpipe
+log4j.appender.native_log.layout=org.apache.log4j.PatternLayout
+log4j.appender.native_log.layout.ConversionPattern=shibd;native.log;${ENV};${USERTOKEN};%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
+
+log4j.appender.warn_log=org.apache.log4j.FileAppender
+log4j.appender.warn_log.fileName=/tmp/logpipe
+log4j.appender.warn_log.layout=org.apache.log4j.PatternLayout
+log4j.appender.warn_log.layout.ConversionPattern=shibd;native_warn.log;${ENV};${USERTOKEN};%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
+log4j.appender.warn_log.threshold=WARN
+

container_files/shibboleth/shibd.logger

@@ -0,0 +1,60 @@
+# set overall behavior
+log4j.rootCategory=INFO, shibd_log
+
+# fairly verbose for DEBUG, so generally leave at INFO
+log4j.category.XMLTooling.XMLObject=INFO
+log4j.category.XMLTooling.KeyInfoResolver=INFO
+log4j.category.Shibboleth.IPRange=INFO
+log4j.category.Shibboleth.PropertySet=INFO
+
+# raise for low-level tracing of SOAP client HTTP/SSL behavior
+log4j.category.XMLTooling.libcurl=INFO
+
+# useful categories to tune independently:
+#
+# tracing of SAML messages and security policies
+#log4j.category.OpenSAML.MessageDecoder=DEBUG
+#log4j.category.OpenSAML.MessageEncoder=DEBUG
+#log4j.category.OpenSAML.SecurityPolicyRule=DEBUG
+#log4j.category.XMLTooling.SOAPClient=DEBUG
+# interprocess message remoting
+#log4j.category.Shibboleth.Listener=DEBUG
+# mapping of requests to applicationId
+#log4j.category.Shibboleth.RequestMapper=DEBUG
+# high level session cache operations
+#log4j.category.Shibboleth.SessionCache=DEBUG
+# persistent storage and caching
+#log4j.category.XMLTooling.StorageService=DEBUG
+
+# logs XML being signed or verified if set to DEBUG
+log4j.category.XMLTooling.Signature.Debugger=INFO, sig_log
+log4j.additivity.XMLTooling.Signature.Debugger=false
+
+# the tran log blocks the "default" appender(s) at runtime
+# Level should be left at INFO for this category
+log4j.category.Shibboleth-TRANSACTION=INFO, tran_log
+log4j.additivity.Shibboleth-TRANSACTION=false
+# uncomment to suppress particular event types
+#log4j.category.Shibboleth-TRANSACTION.AuthnRequest=WARN
+#log4j.category.Shibboleth-TRANSACTION.Login=WARN
+#log4j.category.Shibboleth-TRANSACTION.Logout=WARN
+
+# define the appenders
+
+log4j.appender.shibd_log=org.apache.log4j.FileAppender
+log4j.appender.shibd_log.fileName=/tmp/logpipe
+log4j.appender.shibd_log.maxFileSize=0
+log4j.appender.shibd_log.layout=org.apache.log4j.PatternLayout
+log4j.appender.shibd_log.layout.ConversionPattern=shibd;shibd.log;${ENV};${USERTOKEN};%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
+
+log4j.appender.tran_log=org.apache.log4j.FileAppender
+log4j.appender.tran_log.fileName=/tmp/logpipe
+log4j.appender.tran_log.maxFileSize=0
+log4j.appender.tran_log.layout=org.apache.log4j.PatternLayout
+log4j.appender.tran_log.layout.ConversionPattern=shibd;transaction.log;${ENV};${USERTOKEN};%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
+
+log4j.appender.sig_log=org.apache.log4j.FileAppender
+log4j.appender.sig_log.fileName=/tmp/logpipe
+log4j.appender.sig_log.layout=org.apache.log4j.PatternLayout
+log4j.appender.sig_log.layout.ConversionPattern=shibd;signature.log;${ENV};${USERTOKEN};%m
+

tests/image.bats

@@ -11,17 +11,18 @@ load ../common
 }
 
 @test "Sample attribute map available" {
-  docker run -i $maintainer/$imagename find /opt/etc/shibboleth/attribute-map.xml
+  docker run -i $maintainer/$imagename find /etc/shibboleth/attribute-map.xml
 }
 
 @test "Includes InCommon cert" {
-  docker run -i $maintainer/$imagename find /opt/etc/shibboleth/inc-md-cert.pem
+  docker run -i $maintainer/$imagename find /etc/shibboleth/inc-md-cert.pem
 }
 
 @test "Includes Shibboleth keygenerator" {
-  docker run -i $maintainer/$imagename find /opt/bin/shibboleth_keygen.sh
+  docker run -i $maintainer/$imagename find /usr/local/bin/shibboleth_keygen.sh
 }
 
 @test "Includes httpd + shibd startup script" {
-  docker run -i $maintainer/$imagename find /opt/bin/httpd-shib-foreground
-}
+  docker run -i $maintainer/$imagename find /usr/local/bin/httpd-shib-foreground
+}
+

tests/running.bats

@@ -17,4 +17,5 @@ load ../common
 @test "Exposes running SSO process" {
   result="$(docker exec -i $imagename curl http://localhost/Shibboleth.sso/Status)"
   [ "$result" != '' ]
-}
+}
+