From 4d8885c5cf25b262d9ec72c44582384170268f93 Mon Sep 17 00:00:00 2001
From: Paul Caskey <pcaskey@internet2.edu>
Date: Fri, 12 Oct 2018 22:15:15 +0000
Subject: [PATCH] updates

---
 BINSCRIPTS.md                            | 41 ----------------
 Dockerfile                               | 28 +++++++----
 README.md                                |  1 -
 bin/ci-run.sh                            |  3 +-
 bin/ci-stop.sh                           |  1 +
 common.bash                              |  2 +-
 container_files/httpd/index.html         |  3 ++
 container_files/shibboleth/native.logger | 40 ++++++++++++++++
 container_files/shibboleth/shibd.logger  | 60 ++++++++++++++++++++++++
 install.sh                               | 13 -----
 tests/image.bats                         | 11 +++--
 tests/running.bats                       |  3 +-
 12 files changed, 134 insertions(+), 72 deletions(-)
 delete mode 100644 BINSCRIPTS.md
 create mode 100644 container_files/httpd/index.html
 create mode 100644 container_files/shibboleth/native.logger
 create mode 100644 container_files/shibboleth/shibd.logger
 delete mode 100755 install.sh

diff --git a/BINSCRIPTS.md b/BINSCRIPTS.md
deleted file mode 100644
index f5949ba..0000000
--- a/BINSCRIPTS.md
+++ /dev/null
@@ -1,41 +0,0 @@
-# util
-
-This repository is intended to be downloaded into a container repository during development for convenience purposes.  Since the major mechanisms of developing to the Docker container construction lifecycle are identical across container images, this repository allows for consistency and additional ease of use across all container images.
-
-## Install
-
-If you are reading this file in BINSCRIPTS.md, your container project is likely to be util-enabled.
-
-To use these scripts yourself, issue this command:
-
-```
-curl "https://github.internet2.edu/raw/docker/util/master/bin/install.sh?token=AAAAETsVKUnOEAMM8TvUUZccPYi13wsnks5Xq46jwA%3D%3D" | bash
-```
-
-### common.bash
-
-The installation process will create a common.bash file.  This file should be the central, canonical authority for management of environment variables.  While a subprocess may override them, the files in common.bash should be treated as authoritative defaults.  Processes (e.g. `docker build`, `bats`, inside `Jenkinsfile`) can read this file and process the results therein.
-
-You should edit this file to change the image name, and add any other helpful environment variables.
-
-### Jenkinsfile
-
-This will also install a Jenkinsfile to your repository, if it doesn't have one.  This will ensure that your Jenkins pipeline can leverage these scripts in the way intended.  Ensuring the commands that you issue on your laptop match the commands issued by the build pipeline is critical to ensure predictable, reliable results.
-
-## Use
-
-
-### Building
-
-#### build.sh
-`bin/build.sh `
-#### destroy.sh
-#### rebuild.sh
-
-### Running
-### rerun.sh
-### run.sh
-
-
-### Testing
-#### test.sh
\ No newline at end of file
diff --git a/Dockerfile b/Dockerfile
index 8f4110b..44fce78 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -14,11 +14,6 @@ LABEL Version=$version
 
 LABEL Build docker build --rm --tag $maintainer/$imagename .
 
-ADD ./container_files/bin/httpd-shib-foreground  /usr/local/bin/
-ADD ./container_files/bin/shibboleth_keygen.sh  /usr/local/bin/
-ADD ./container_files/etc/httpd/conf.d/ssl.conf /etc/httpd/conf.d/ 
-
-
 RUN ln -sf /usr/share/zoneinfo/UTC /etc/localtime \
     && echo "NETWORKING=yes" > /etc/sysconfig/network
 
@@ -32,17 +27,32 @@ RUN curl -o /etc/yum.repos.d/security:shibboleth.repo \
       && yum clean all \
       && rm /etc/httpd/conf.d/autoindex.conf \
       && rm /etc/httpd/conf.d/userdir.conf \
-      && rm /etc/httpd/conf.d/welcome.conf \
-      && chmod +x /usr/local/bin/httpd-shib-foreground \
-      && chmod +x /usr/local/bin/shibboleth_keygen.sh
+      && rm /etc/httpd/conf.d/welcome.conf
       
 # Export this variable so that shibd can find its CURL library
 RUN LD_LIBRARY_PATH="/opt/shibboleth/lib64"
 RUN export LD_LIBRARY_PATH
 
-# fix shibd.logger, other?.logger
+ADD ./container_files/system/httpd-shib-foreground  /usr/local/bin/
+ADD ./container_files/system/shibboleth_keygen.sh  /usr/local/bin/
+ADD ./container_files/httpd/ssl.conf /etc/httpd/conf.d/
+ADD ./container_files/shibboleth/* /etc/shibboleth/
+
+RUN chmod +x /usr/local/bin/httpd-shib-foreground \
+      && chmod +x /usr/local/bin/shibboleth_keygen.sh
 
 # fix httpd logging to tier format
+RUN sed -i 's/LogFormat "/LogFormat "httpd;access_log;%{ENV}e;%{USERTOKEN}e;/g' /etc/httpd/conf/httpd.conf \
+    && echo -e "\nErrorLogFormat \"httpd;error_log;%{ENV}e;%{USERTOKEN}e;[%{u}t] [%-m:%l] [pid %P:tid %T] %7F: %E: [client\ %a] %M% ,\ referer\ %{Referer}i\"" >> /etc/httpd/conf/httpd.conf \
+    && sed -i 's/CustomLog "logs\/access_log"/CustomLog "\/tmp\/logpipe"/g' /etc/httpd/conf/httpd.conf \
+    && sed -i 's/ErrorLog "logs\/error_log"/ErrorLog "\/tmp\/logpipe"/g' /etc/httpd/conf/httpd.conf \
+    && echo -e "\nPassEnv ENV" >> /etc/httpd/conf/httpd.conf \
+    && echo -e "\nPassEnv USERTOKEN" >> /etc/httpd/conf/httpd.conf \
+    && sed -i '/UseCanonicalName/c\UseCanonicalName On' /etc/httpd/conf/httpd.conf
+
+# add a basic page to shibb's default protected directory
+RUN mkdir -p /var/www/html/secure/
+ADD container_files/httpd/index.html /var/www/html/secure/
 
 
 EXPOSE 80 443
diff --git a/README.md b/README.md
index 3f96763..4e686a3 100644
--- a/README.md
+++ b/README.md
@@ -2,5 +2,4 @@
 
 [![Build Status](https://jenkins.testbed.tier.internet2.edu/buildStatus/icon?job=docker/shib-sp/master)](https://jenkins.testbed.tier.internet2.edu/job/docker/shib-sp/master)
 
-This image is the parent of COmanage and Grouper containers, as it contains the OpenSUSE repositories for shibboleth package management, and an apache installation.
 
diff --git a/bin/ci-run.sh b/bin/ci-run.sh
index 70761f0..4ef1dc0 100755
--- a/bin/ci-run.sh
+++ b/bin/ci-run.sh
@@ -3,4 +3,5 @@
 # This file will run a container in the background
 source common.bash .
 
-docker run -d --name=$imagename -p 80:80 -p 443:443 $maintainer/$imagename
\ No newline at end of file
+docker run -d --name=$imagename -p 80:80 -p 443:443 $maintainer/$imagename
+
diff --git a/bin/ci-stop.sh b/bin/ci-stop.sh
index 54ab019..60c6f27 100755
--- a/bin/ci-stop.sh
+++ b/bin/ci-stop.sh
@@ -6,3 +6,4 @@ source common.bash .
 echo "Cleaning up Docker image($maintainer/$imagename)"
 docker stop $imagename >> /dev/null
 docker rm $imagename
+
diff --git a/common.bash b/common.bash
index 362ce33..8c19ea3 100644
--- a/common.bash
+++ b/common.bash
@@ -1,3 +1,3 @@
 maintainer="tier"
 imagename="shibboleth_sp"
-version="2.5.1"
\ No newline at end of file
+version="3.0.2"
diff --git a/container_files/httpd/index.html b/container_files/httpd/index.html
new file mode 100644
index 0000000..9b3dd7a
--- /dev/null
+++ b/container_files/httpd/index.html
@@ -0,0 +1,3 @@
+<br />
+<h3>This page is protected by the Shibboleth SP.</h3>
+
diff --git a/container_files/shibboleth/native.logger b/container_files/shibboleth/native.logger
new file mode 100644
index 0000000..1f01974
--- /dev/null
+++ b/container_files/shibboleth/native.logger
@@ -0,0 +1,40 @@
+# set overall behavior
+log4j.rootCategory=INFO, native_log, warn_log
+
+# fairly verbose for DEBUG, so generally leave at INFO
+log4j.category.XMLTooling.XMLObject=INFO
+log4j.category.XMLTooling.KeyInfoResolver=INFO
+log4j.category.Shibboleth.IPRange=INFO
+log4j.category.Shibboleth.PropertySet=INFO
+
+# raise for low-level tracing of SOAP client HTTP/SSL behavior
+log4j.category.XMLTooling.libcurl=INFO
+
+# useful categories to tune independently:
+#
+# tracing of SAML messages and security policies
+#log4j.category.OpenSAML.MessageDecoder=DEBUG
+#log4j.category.OpenSAML.MessageEncoder=DEBUG
+#log4j.category.OpenSAML.SecurityPolicyRule=DEBUG
+# interprocess message remoting
+#log4j.category.Shibboleth.Listener=DEBUG
+# mapping of requests to applicationId
+#log4j.category.Shibboleth.RequestMapper=DEBUG
+# high level session cache operations
+#log4j.category.Shibboleth.SessionCache=DEBUG
+# persistent storage and caching
+#log4j.category.XMLTooling.StorageService=DEBUG
+
+# define the appender
+
+log4j.appender.native_log=org.apache.log4j.FileAppender
+log4j.appender.native_log.fileName=/tmp/logpipe
+log4j.appender.native_log.layout=org.apache.log4j.PatternLayout
+log4j.appender.native_log.layout.ConversionPattern=shibd;native.log;${ENV};${USERTOKEN};%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
+
+log4j.appender.warn_log=org.apache.log4j.FileAppender
+log4j.appender.warn_log.fileName=/tmp/logpipe
+log4j.appender.warn_log.layout=org.apache.log4j.PatternLayout
+log4j.appender.warn_log.layout.ConversionPattern=shibd;native_warn.log;${ENV};${USERTOKEN};%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
+log4j.appender.warn_log.threshold=WARN
+
diff --git a/container_files/shibboleth/shibd.logger b/container_files/shibboleth/shibd.logger
new file mode 100644
index 0000000..d3b26cd
--- /dev/null
+++ b/container_files/shibboleth/shibd.logger
@@ -0,0 +1,60 @@
+# set overall behavior
+log4j.rootCategory=INFO, shibd_log
+
+# fairly verbose for DEBUG, so generally leave at INFO
+log4j.category.XMLTooling.XMLObject=INFO
+log4j.category.XMLTooling.KeyInfoResolver=INFO
+log4j.category.Shibboleth.IPRange=INFO
+log4j.category.Shibboleth.PropertySet=INFO
+
+# raise for low-level tracing of SOAP client HTTP/SSL behavior
+log4j.category.XMLTooling.libcurl=INFO
+
+# useful categories to tune independently:
+#
+# tracing of SAML messages and security policies
+#log4j.category.OpenSAML.MessageDecoder=DEBUG
+#log4j.category.OpenSAML.MessageEncoder=DEBUG
+#log4j.category.OpenSAML.SecurityPolicyRule=DEBUG
+#log4j.category.XMLTooling.SOAPClient=DEBUG
+# interprocess message remoting
+#log4j.category.Shibboleth.Listener=DEBUG
+# mapping of requests to applicationId
+#log4j.category.Shibboleth.RequestMapper=DEBUG
+# high level session cache operations
+#log4j.category.Shibboleth.SessionCache=DEBUG
+# persistent storage and caching
+#log4j.category.XMLTooling.StorageService=DEBUG
+
+# logs XML being signed or verified if set to DEBUG
+log4j.category.XMLTooling.Signature.Debugger=INFO, sig_log
+log4j.additivity.XMLTooling.Signature.Debugger=false
+
+# the tran log blocks the "default" appender(s) at runtime
+# Level should be left at INFO for this category
+log4j.category.Shibboleth-TRANSACTION=INFO, tran_log
+log4j.additivity.Shibboleth-TRANSACTION=false
+# uncomment to suppress particular event types
+#log4j.category.Shibboleth-TRANSACTION.AuthnRequest=WARN
+#log4j.category.Shibboleth-TRANSACTION.Login=WARN
+#log4j.category.Shibboleth-TRANSACTION.Logout=WARN
+
+# define the appenders
+
+log4j.appender.shibd_log=org.apache.log4j.FileAppender
+log4j.appender.shibd_log.fileName=/tmp/logpipe
+log4j.appender.shibd_log.maxFileSize=0
+log4j.appender.shibd_log.layout=org.apache.log4j.PatternLayout
+log4j.appender.shibd_log.layout.ConversionPattern=shibd;shibd.log;${ENV};${USERTOKEN};%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
+
+log4j.appender.tran_log=org.apache.log4j.FileAppender
+log4j.appender.tran_log.fileName=/tmp/logpipe
+log4j.appender.tran_log.maxFileSize=0
+log4j.appender.tran_log.layout=org.apache.log4j.PatternLayout
+log4j.appender.tran_log.layout.ConversionPattern=shibd;transaction.log;${ENV};${USERTOKEN};%d{%Y-%m-%d %H:%M:%S} %p %c %x: %m%n
+
+log4j.appender.sig_log=org.apache.log4j.FileAppender
+log4j.appender.sig_log.fileName=/tmp/logpipe
+log4j.appender.sig_log.layout=org.apache.log4j.PatternLayout
+log4j.appender.sig_log.layout.ConversionPattern=shibd;signature.log;${ENV};${USERTOKEN};%m
+
diff --git a/install.sh b/install.sh
deleted file mode 100755
index ddfd5b0..0000000
--- a/install.sh
+++ /dev/null
@@ -1,13 +0,0 @@
-#!/usr/bin/env bash
-git clone git@github.internet2.edu:docker/util.git
-find util/bin -name "*.sh" -exec sh -c 'echo "$1" | sed "s/util\///" >> .gitignore' -- {} \;
-mkdir -p bin
-mv util/bin/* bin/.
-mv util/README.md BINSCRIPTS.md
-if [ ! -f common.bash ]; then
-  mv util/common.bash.sample common.bash
-fi
-if [ ! -f Jenkinsfile ]; then
-  mv util/Jenkinsfile.sample Jenkinsfile
-fi
-rm -rf util
diff --git a/tests/image.bats b/tests/image.bats
index 769c4c9..3d9fb5e 100644
--- a/tests/image.bats
+++ b/tests/image.bats
@@ -11,17 +11,18 @@ load ../common
 }
 
 @test "Sample attribute map available" {
-  docker run -i $maintainer/$imagename find /opt/etc/shibboleth/attribute-map.xml
+  docker run -i $maintainer/$imagename find /etc/shibboleth/attribute-map.xml
 }
 
 @test "Includes InCommon cert" {
-  docker run -i $maintainer/$imagename find /opt/etc/shibboleth/inc-md-cert.pem
+  docker run -i $maintainer/$imagename find /etc/shibboleth/inc-md-cert.pem
 }
 
 @test "Includes Shibboleth keygenerator" {
-  docker run -i $maintainer/$imagename find /opt/bin/shibboleth_keygen.sh
+  docker run -i $maintainer/$imagename find /usr/local/bin/shibboleth_keygen.sh
 }
 
 @test "Includes httpd + shibd startup script" {
-  docker run -i $maintainer/$imagename find /opt/bin/httpd-shib-foreground
-}
\ No newline at end of file
+  docker run -i $maintainer/$imagename find /usr/local/bin/httpd-shib-foreground
+}
+
diff --git a/tests/running.bats b/tests/running.bats
index 882aaec..781715b 100644
--- a/tests/running.bats
+++ b/tests/running.bats
@@ -17,4 +17,5 @@ load ../common
 @test "Exposes running SSO process" {
   result="$(docker exec -i $imagename curl http://localhost/Shibboleth.sso/Status)"
   [ "$result" != '' ]
-}
\ No newline at end of file
+}
+