Adding sample configuration to all SP configured images

docker · Sep 12, 2016 · 5bcb08e · 5bcb08e
1 parent a58d229
commit 5bcb08e
Showing 5 changed files with 143 additions and 0 deletions.
diff --git a/Dockerfile b/Dockerfile
@@ -28,6 +28,9 @@ RUN curl -o /etc/yum.repos.d/security:shibboleth.repo \
       && rm /etc/httpd/conf.d/welcome.conf
 
 COPY httpd-shib-foreground /usr/local/bin/
+COPY conf/attribute-map.xml /opt/etc/shibboleth/attribute-map.xml
+COPY conf/inc-md-cert.pem /opt/etc/shibboleth/inc-md-cert.pem
+COPY conf/shibboleth_keygen.sh /opt/bin/shibboleth_keygen.sh
 
 EXPOSE 80 443
 CMD ["httpd-shib-foreground"]
diff --git a/conf/attribute-map.xml b/conf/attribute-map.xml
@@ -0,0 +1,32 @@
+<Attributes xmlns="urn:mace:shibboleth:2.0:attribute-map" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance">
+
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.6" id="eppn">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder"/>
+    </Attribute>
+
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.9" id="affiliation">
+        <AttributeDecoder xsi:type="ScopedAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.1" id="unscoped-affiliation">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.7" id="entitlement"/>
+
+    <Attribute name="urn:oasis:names:tc:SAML:2.0:nameid-format:persistent" id="persistent-id">
+        <AttributeDecoder xsi:type="NameIDAttributeDecoder" formatter="$NameQualifier!$SPNameQualifier!$Name" defaultQualifiers="true"/>
+    </Attribute>
+
+    <Attribute name="urn:oid:1.3.6.1.4.1.5923.1.1.1.5" id="primary-affiliation">
+        <AttributeDecoder xsi:type="StringAttributeDecoder" caseSensitive="false"/>
+    </Attribute>
+
+    <Attribute name="urn:oid:2.5.4.4" id="sn"/>
+    <Attribute name="urn:oid:2.5.4.42" id="givenName"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.241" id="displayName"/>
+    <Attribute name="urn:oid:0.9.2342.19200300.100.1.1" id="uid"/>
+    <Attribute name="urn:oid:0.9.2342.19200300.100.1.3" id="mail"/>
+    <Attribute name="urn:oid:2.16.840.1.113730.3.1.3" id="employeeNumber"/>
+
+</Attributes>
diff --git a/conf/inc-md-cert.pem b/conf/inc-md-cert.pem
@@ -0,0 +1,21 @@
+-----BEGIN CERTIFICATE-----
+MIIDgTCCAmmgAwIBAgIJAJRJzvdpkmNaMA0GCSqGSIb3DQEBCwUAMFcxCzAJBgNV
+BAYTAlVTMRUwEwYDVQQKDAxJbkNvbW1vbiBMTEMxMTAvBgNVBAMMKEluQ29tbW9u
+IEZlZGVyYXRpb24gTWV0YWRhdGEgU2lnbmluZyBLZXkwHhcNMTMxMjE2MTkzNDU1
+WhcNMzcxMjE4MTkzNDU1WjBXMQswCQYDVQQGEwJVUzEVMBMGA1UECgwMSW5Db21t
+b24gTExDMTEwLwYDVQQDDChJbkNvbW1vbiBGZWRlcmF0aW9uIE1ldGFkYXRhIFNp
+Z25pbmcgS2V5MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA0Chdkrn+
+dG5Zj5L3UIw+xeWgNzm8ajw7/FyqRQ1SjD4Lfg2WCdlfjOrYGNnVZMCTfItoXTSp
+g4rXxHQsykeNiYRu2+02uMS+1pnBqWjzdPJE0od+q8EbdvE6ShimjyNn0yQfGyQK
+CNdYuc+75MIHsaIOAEtDZUST9Sd4oeU1zRjV2sGvUd+JFHveUAhRc0b+JEZfIEuq
+/LIU9qxm/+gFaawlmojZPyOWZ1JlswbrrJYYyn10qgnJvjh9gZWXKjmPxqvHKJcA
+TPhAh2gWGabWTXBJCckMe1hrHCl/vbDLCmz0/oYuoaSDzP6zE9YSA/xCplaHA0mo
+C1Vs2H5MOQGlewIDAQABo1AwTjAdBgNVHQ4EFgQU5ij9YLU5zQ6K75kPgVpyQ2N/
+lPswHwYDVR0jBBgwFoAU5ij9YLU5zQ6K75kPgVpyQ2N/lPswDAYDVR0TBAUwAwEB
+/zANBgkqhkiG9w0BAQsFAAOCAQEAaQkEx9xvaLUt0PNLvHMtxXQPedCPw5xQBd2V
+WOsWPYspRAOSNbU1VloY+xUkUKorYTogKUY1q+uh2gDIEazW0uZZaQvWPp8xdxWq
+Dh96n5US06lszEc+Lj3dqdxWkXRRqEbjhBFh/utXaeyeSOtaX65GwD5svDHnJBcl
+AGkzeRIXqxmYG+I2zMm/JYGzEnbwToyC7yF6Q8cQxOr37hEpqz+WN/x3qM2qyBLE
+CQFjmlJrvRLkSL15PCZiu+xFNFd/zx6btDun5DBlfDS9DG+SHCNH6Nq+NfP+ZQ8C
+GzP/3TaZPzMlKPDCjp0XOQfyQqFIXdwjPFTWjEusDBlm4qJAlQ==
+-----END CERTIFICATE-----
diff --git a/conf/shibboleth_keygen.sh b/conf/shibboleth_keygen.sh
@@ -0,0 +1,75 @@
+#! /bin/sh
+
+while getopts h:u:g:o:e:y:bf c
+     do
+         case $c in
+           o)         OUT=$OPTARG;;
+           b)         BATCH=1;;
+           f)         FORCE=1;;
+           h)         FQDN=$OPTARG;;
+           e)         ENTITYID=$OPTARG;;
+           y)         YEARS=$OPTARG;;
+           \?)        echo "shibboleth_keygen [-o output directory (default .)] [-h hostname for cert] [-y years to issue cert] [-e entityID to embed in cert]"
+                      exit 1;;
+         esac
+     done
+if [ -z "$OUT" ] ; then
+    OUT=.
+fi
+
+if [ -n "$FORCE" ] ; then
+    rm $OUT/sp-key.pem $OUT/sp-cert.pem
+fi
+
+if  [ -s $OUT/sp-key.pem -o -s $OUT/sp-cert.pem ] ; then
+    if [ -z "$BATCH" ] ; then  
+        echo The files $OUT/sp-key.pem and/or $OUT/sp-cert.pem already exist!
+        echo Use -f option to force recreation of keypair.
+        exit 2
+    fi
+    exit 0
+fi
+
+if [ -z "$FQDN" ] ; then
+    FQDN=`hostname --fqdn`
+fi
+
+if [ -z "$YEARS" ] ; then
+    YEARS=10
+fi
+
+DAYS=`expr $YEARS \* 365`
+
+if [ -z "$ENTITYID" ] ; then
+    ALTNAME=DNS:$FQDN
+else
+    ALTNAME=DNS:$FQDN,URI:$ENTITYID
+fi
+
+SSLCNF=$OUT/sp-cert.cnf
+cat >$SSLCNF <<EOF
+# OpenSSL configuration file for creating sp-cert.pem
+[req]
+prompt=no
+default_bits=2048
+encrypt_key=no
+default_md=sha1
+distinguished_name=dn
+# PrintableStrings only
+string_mask=MASK:0002
+x509_extensions=ext
+[dn]
+CN=$FQDN
+[ext]
+subjectAltName=$ALTNAME
+subjectKeyIdentifier=hash
+EOF
+
+touch $OUT/sp-key.pem
+chmod 600 $OUT/sp-key.pem
+if [ -z "$BATCH" ] ; then
+    openssl req -config $SSLCNF -new -x509 -days $DAYS -keyout $OUT/sp-key.pem -out $OUT/sp-cert.pem
+else
+    openssl req -config $SSLCNF -new -x509 -days $DAYS -keyout $OUT/sp-key.pem -out $OUT/sp-cert.pem 2> /dev/null
+fi
+rm $SSLCNF
diff --git a/tests/image.bats b/tests/image.bats
@@ -8,4 +8,16 @@ load ../common
 
 @test "Shibboleth root available" {
   docker run -i $maintainer/$imagename find /etc/shibboleth
+}
+
+@test "Sample attribute map available" {
+  docker run -i $maintainer/$imagename find /opt/etc/shibboleth/attribute-map.xml
+}
+
+@test "Includes InCommon cert" {
+  docker run -i $maintainer/$imagename find /opt/etc/shibboleth/inc-md-cert.pem
+}
+
+@test "Includes Shibboleth keygenerator" {
+  docker run -i $maintainer/$imagename find /opt/bin/shibboleth_keygen.sh
 }