diff --git a/BINSCRIPTS.md b/BINSCRIPTS.md deleted file mode 100644 index f5949ba..0000000 --- a/BINSCRIPTS.md +++ /dev/null @@ -1,41 +0,0 @@ -# util - -This repository is intended to be downloaded into a container repository during development for convenience purposes. Since the major mechanisms of developing to the Docker container construction lifecycle are identical across container images, this repository allows for consistency and additional ease of use across all container images. - -## Install - -If you are reading this file in BINSCRIPTS.md, your container project is likely to be util-enabled. - -To use these scripts yourself, issue this command: - -``` -curl "https://github.internet2.edu/raw/docker/util/master/bin/install.sh?token=AAAAETsVKUnOEAMM8TvUUZccPYi13wsnks5Xq46jwA%3D%3D" | bash -``` - -### common.bash - -The installation process will create a common.bash file. This file should be the central, canonical authority for management of environment variables. While a subprocess may override them, the files in common.bash should be treated as authoritative defaults. Processes (e.g. `docker build`, `bats`, inside `Jenkinsfile`) can read this file and process the results therein. - -You should edit this file to change the image name, and add any other helpful environment variables. - -### Jenkinsfile - -This will also install a Jenkinsfile to your repository, if it doesn't have one. This will ensure that your Jenkins pipeline can leverage these scripts in the way intended. Ensuring the commands that you issue on your laptop match the commands issued by the build pipeline is critical to ensure predictable, reliable results. - -## Use - - -### Building - -#### build.sh -`bin/build.sh ` -#### destroy.sh -#### rebuild.sh - -### Running -### rerun.sh -### run.sh - - -### Testing -#### test.sh \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index 8f4110b..44fce78 100644 --- a/Dockerfile +++ b/Dockerfile @@ -14,11 +14,6 @@ LABEL Version=$version LABEL Build docker build --rm --tag $maintainer/$imagename . -ADD ./container_files/bin/httpd-shib-foreground /usr/local/bin/ -ADD ./container_files/bin/shibboleth_keygen.sh /usr/local/bin/ -ADD ./container_files/etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ - - RUN ln -sf /usr/share/zoneinfo/UTC /etc/localtime \ && echo "NETWORKING=yes" > /etc/sysconfig/network @@ -32,17 +27,32 @@ RUN curl -o /etc/yum.repos.d/security:shibboleth.repo \ && yum clean all \ && rm /etc/httpd/conf.d/autoindex.conf \ && rm /etc/httpd/conf.d/userdir.conf \ - && rm /etc/httpd/conf.d/welcome.conf \ - && chmod +x /usr/local/bin/httpd-shib-foreground \ - && chmod +x /usr/local/bin/shibboleth_keygen.sh + && rm /etc/httpd/conf.d/welcome.conf # Export this variable so that shibd can find its CURL library RUN LD_LIBRARY_PATH="/opt/shibboleth/lib64" RUN export LD_LIBRARY_PATH -# fix shibd.logger, other?.logger +ADD ./container_files/system/httpd-shib-foreground /usr/local/bin/ +ADD ./container_files/system/shibboleth_keygen.sh /usr/local/bin/ +ADD ./container_files/httpd/ssl.conf /etc/httpd/conf.d/ +ADD ./container_files/shibboleth/* /etc/shibboleth/ + +RUN chmod +x /usr/local/bin/httpd-shib-foreground \ + && chmod +x /usr/local/bin/shibboleth_keygen.sh # fix httpd logging to tier format +RUN sed -i 's/LogFormat "/LogFormat "httpd;access_log;%{ENV}e;%{USERTOKEN}e;/g' /etc/httpd/conf/httpd.conf \ + && echo -e "\nErrorLogFormat \"httpd;error_log;%{ENV}e;%{USERTOKEN}e;[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i\"" >> /etc/httpd/conf/httpd.conf \ + && sed -i 's/CustomLog "logs\/access_log"/CustomLog "\/tmp\/logpipe"/g' /etc/httpd/conf/httpd.conf \ + && sed -i 's/ErrorLog "logs\/error_log"/ErrorLog "\/tmp\/logpipe"/g' /etc/httpd/conf/httpd.conf \ + && echo -e "\nPassEnv ENV" >> /etc/httpd/conf/httpd.conf \ + && echo -e "\nPassEnv USERTOKEN" >> /etc/httpd/conf/httpd.conf \ + && sed -i '/UseCanonicalName/c\UseCanonicalName On' /etc/httpd/conf/httpd.conf + +# add a basic page to shibb's default protected directory +RUN mkdir -p /var/www/html/secure/ +ADD container_files/httpd/index.html /var/www/html/secure/ EXPOSE 80 443 diff --git a/README.md b/README.md index 3f96763..4e686a3 100644 --- a/README.md +++ b/README.md @@ -2,5 +2,4 @@ [![Build Status](https://jenkins.testbed.tier.internet2.edu/buildStatus/icon?job=docker/shib-sp/master)](https://jenkins.testbed.tier.internet2.edu/job/docker/shib-sp/master) -This image is the parent of COmanage and Grouper containers, as it contains the OpenSUSE repositories for shibboleth package management, and an apache installation. diff --git a/bin/ci-run.sh b/bin/ci-run.sh index 70761f0..4ef1dc0 100755 --- a/bin/ci-run.sh +++ b/bin/ci-run.sh @@ -3,4 +3,5 @@ # This file will run a container in the background source common.bash . -docker run -d --name=$imagename -p 80:80 -p 443:443 $maintainer/$imagename \ No newline at end of file +docker run -d --name=$imagename -p 80:80 -p 443:443 $maintainer/$imagename + diff --git a/bin/ci-stop.sh b/bin/ci-stop.sh index 54ab019..60c6f27 100755 --- a/bin/ci-stop.sh +++ b/bin/ci-stop.sh @@ -6,3 +6,4 @@ source common.bash . echo "Cleaning up Docker image($maintainer/$imagename)" docker stop $imagename >> /dev/null docker rm $imagename + diff --git a/common.bash b/common.bash index 362ce33..8c19ea3 100644 --- a/common.bash +++ b/common.bash @@ -1,3 +1,3 @@ maintainer="tier" imagename="shibboleth_sp" -version="2.5.1" \ No newline at end of file +version="3.0.2" diff --git a/container_files/httpd/index.html b/container_files/httpd/index.html new file mode 100644 index 0000000..9b3dd7a --- /dev/null +++ b/container_files/httpd/index.html @@ -0,0 +1,3 @@ +
+

This page is protected by the Shibboleth SP.

+ diff --git a/container_files/shibboleth/native.logger b/container_files/shibboleth/native.logger new file mode 100644 index 0000000..1f01974 --- /dev/null +++ b/container_files/shibboleth/native.logger @@ -0,0 +1,40 @@ +# set overall behavior +log4j.rootCategory=INFO, native_log, warn_log + +# fairly verbose for DEBUG, so generally leave at INFO +log4j.category.XMLTooling.XMLObject=INFO +log4j.category.XMLTooling.KeyInfoResolver=INFO +log4j.category.Shibboleth.IPRange=INFO +log4j.category.Shibboleth.PropertySet=INFO + +# raise for low-level tracing of SOAP client HTTP/SSL behavior +log4j.category.XMLTooling.libcurl=INFO + +# useful categories to tune independently: +# +# tracing of SAML messages and security policies +#log4j.category.OpenSAML.MessageDecoder=DEBUG +#log4j.category.OpenSAML.MessageEncoder=DEBUG +#log4j.category.OpenSAML.SecurityPolicyRule=DEBUG +# interprocess message remoting +#log4j.category.Shibboleth.Listener=DEBUG +# mapping of requests to applicationId +#log4j.category.Shibboleth.RequestMapper=DEBUG +# high level session cache operations +#log4j.category.Shibboleth.SessionCache=DEBUG +# persistent storage and caching +#log4j.category.XMLTooling.StorageService=DEBUG + +# define the appender + +log4j.appender.native_log=org.apache.log4j.FileAppender +log4j.appender.native_log.fileName=/tmp/logpipe +log4j.appender.native_log.layout=org.apache.log4j.PatternLayout +log4j.appender.native_log.layout.ConversionPattern=shibd;native.log;${ENV};${USERTOKEN};%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n + +log4j.appender.warn_log=org.apache.log4j.FileAppender +log4j.appender.warn_log.fileName=/tmp/logpipe +log4j.appender.warn_log.layout=org.apache.log4j.PatternLayout +log4j.appender.warn_log.layout.ConversionPattern=shibd;native_warn.log;${ENV};${USERTOKEN};%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n +log4j.appender.warn_log.threshold=WARN + diff --git a/container_files/shibboleth/shibd.logger b/container_files/shibboleth/shibd.logger new file mode 100644 index 0000000..d3b26cd --- /dev/null +++ b/container_files/shibboleth/shibd.logger @@ -0,0 +1,60 @@ +# set overall behavior +log4j.rootCategory=INFO, shibd_log + +# fairly verbose for DEBUG, so generally leave at INFO +log4j.category.XMLTooling.XMLObject=INFO +log4j.category.XMLTooling.KeyInfoResolver=INFO +log4j.category.Shibboleth.IPRange=INFO +log4j.category.Shibboleth.PropertySet=INFO + +# raise for low-level tracing of SOAP client HTTP/SSL behavior +log4j.category.XMLTooling.libcurl=INFO + +# useful categories to tune independently: +# +# tracing of SAML messages and security policies +#log4j.category.OpenSAML.MessageDecoder=DEBUG +#log4j.category.OpenSAML.MessageEncoder=DEBUG +#log4j.category.OpenSAML.SecurityPolicyRule=DEBUG +#log4j.category.XMLTooling.SOAPClient=DEBUG +# interprocess message remoting +#log4j.category.Shibboleth.Listener=DEBUG +# mapping of requests to applicationId +#log4j.category.Shibboleth.RequestMapper=DEBUG +# high level session cache operations +#log4j.category.Shibboleth.SessionCache=DEBUG +# persistent storage and caching +#log4j.category.XMLTooling.StorageService=DEBUG + +# logs XML being signed or verified if set to DEBUG +log4j.category.XMLTooling.Signature.Debugger=INFO, sig_log +log4j.additivity.XMLTooling.Signature.Debugger=false + +# the tran log blocks the "default" appender(s) at runtime +# Level should be left at INFO for this category +log4j.category.Shibboleth-TRANSACTION=INFO, tran_log +log4j.additivity.Shibboleth-TRANSACTION=false +# uncomment to suppress particular event types +#log4j.category.Shibboleth-TRANSACTION.AuthnRequest=WARN +#log4j.category.Shibboleth-TRANSACTION.Login=WARN +#log4j.category.Shibboleth-TRANSACTION.Logout=WARN + +# define the appenders + +log4j.appender.shibd_log=org.apache.log4j.FileAppender +log4j.appender.shibd_log.fileName=/tmp/logpipe +log4j.appender.shibd_log.maxFileSize=0 +log4j.appender.shibd_log.layout=org.apache.log4j.PatternLayout +log4j.appender.shibd_log.layout.ConversionPattern=shibd;shibd.log;${ENV};${USERTOKEN};%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n + +log4j.appender.tran_log=org.apache.log4j.FileAppender +log4j.appender.tran_log.fileName=/tmp/logpipe +log4j.appender.tran_log.maxFileSize=0 +log4j.appender.tran_log.layout=org.apache.log4j.PatternLayout +log4j.appender.tran_log.layout.ConversionPattern=shibd;transaction.log;${ENV};${USERTOKEN};%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n + +log4j.appender.sig_log=org.apache.log4j.FileAppender +log4j.appender.sig_log.fileName=/tmp/logpipe +log4j.appender.sig_log.layout=org.apache.log4j.PatternLayout +log4j.appender.sig_log.layout.ConversionPattern=shibd;signature.log;${ENV};${USERTOKEN};%m + diff --git a/install.sh b/install.sh deleted file mode 100755 index ddfd5b0..0000000 --- a/install.sh +++ /dev/null @@ -1,13 +0,0 @@ -#!/usr/bin/env bash -git clone git@github.internet2.edu:docker/util.git -find util/bin -name "*.sh" -exec sh -c 'echo "$1" | sed "s/util\///" >> .gitignore' -- {} \; -mkdir -p bin -mv util/bin/* bin/. -mv util/README.md BINSCRIPTS.md -if [ ! -f common.bash ]; then - mv util/common.bash.sample common.bash -fi -if [ ! -f Jenkinsfile ]; then - mv util/Jenkinsfile.sample Jenkinsfile -fi -rm -rf util diff --git a/tests/image.bats b/tests/image.bats index 769c4c9..3d9fb5e 100644 --- a/tests/image.bats +++ b/tests/image.bats @@ -11,17 +11,18 @@ load ../common } @test "Sample attribute map available" { - docker run -i $maintainer/$imagename find /opt/etc/shibboleth/attribute-map.xml + docker run -i $maintainer/$imagename find /etc/shibboleth/attribute-map.xml } @test "Includes InCommon cert" { - docker run -i $maintainer/$imagename find /opt/etc/shibboleth/inc-md-cert.pem + docker run -i $maintainer/$imagename find /etc/shibboleth/inc-md-cert.pem } @test "Includes Shibboleth keygenerator" { - docker run -i $maintainer/$imagename find /opt/bin/shibboleth_keygen.sh + docker run -i $maintainer/$imagename find /usr/local/bin/shibboleth_keygen.sh } @test "Includes httpd + shibd startup script" { - docker run -i $maintainer/$imagename find /opt/bin/httpd-shib-foreground -} \ No newline at end of file + docker run -i $maintainer/$imagename find /usr/local/bin/httpd-shib-foreground +} + diff --git a/tests/running.bats b/tests/running.bats index 882aaec..781715b 100644 --- a/tests/running.bats +++ b/tests/running.bats @@ -17,4 +17,5 @@ load ../common @test "Exposes running SSO process" { result="$(docker exec -i $imagename curl http://localhost/Shibboleth.sso/Status)" [ "$result" != '' ] -} \ No newline at end of file +} +