Initial commit

Dockerfile

@@ -0,0 +1,49 @@
+FROM alpine:3.7 as bootstrap
+
+ARG version=1.4.0
+
+COPY bootstrapfiles/shibui-${version}.jar.sha256sum .
+
+RUN wget https://github.internet2.edu/TIER/shib-idp-ui/releases/download/v${version}/shibui-${version}.jar \
+    && sha256sum -c shibui-${version}.jar.sha256sum && mv shibui-${version}.jar shibui.jar
+
+FROM centos:7
+
+# beacon env
+ENV VERSION=${version} \
+    TIERVERSION=18xxxx \
+    IMAGE=shibboleth_idp_ui \
+    MAINTAINER=xxxx
+
+COPY containerfiles/RPM-GPG-KEY-azulsystems .
+
+RUN rpm --import RPM-GPG-KEY-azulsystems
+RUN curl -o /etc/yum.repos.d/zulu.repo http://repos.azulsystems.com/rhel/zulu.repo
+RUN yum -q -qy update \
+    && yum -qy install --setopt=tsflags=nodocs epel-release \
+    && yum -qy install zulu-11 curl cronie supervisor \
+    && yum clean all \
+    && rm -rf /var/cache/yum
+
+RUN mkdir -p /opt/shibui
+COPY --from=bootstrap shibui.jar /opt/shibui/
+
+COPY containerfiles/supervisord.conf /etc/supervisor/supervisord.conf
+COPY containerfiles/sendtierbeacon.sh /usr/bin
+COPY containerfiles/setupcron.sh /usr/bin
+RUN chmod +x /usr/bin/sendtierbeacon.sh \
+    && mkdir /opt/tier \
+    && chmod +x /usr/bin/setupcron.sh \
+    && /usr/bin/setupcron.sh
+
+# TIER Beacon Opt-out
+# Completely uncomment the following ENV line to prevent the containers from sending analytics information to Internet2.
+# With the default/release configuration, it will only send product (Shibb/Grouper/COmanage) and version (3.3.1-17040, etc) 
+#   once daily between midnight and 4am.  There is no configuration or private information collected or sent.  
+# This data helps with the scalaing and funding of TIER.  Please do not disable it if you find the TIER tools useful.
+# To keep it commented, keep multiple comments on the following line (to prevent other scripts from processing it).
+#####     ENV TIER_BEACON_OPT_OUT True
+
+WORKDIR /opt/shibui
+
+CMD ["/usr/bin/supervisord", "-c", "/etc/supervisor/supervisord.conf"]

bootstrapfiles/shibui-1.4.0.jar.sha256sum

@@ -0,0 +1 @@
+573a00e2891d55d46ec994e0b183b4c32726326b9caa62c99eeb268072c74bd2  shibui-1.4.0.jar

containerfiles/RPM-GPG-KEY-azulsystems

@@ -0,0 +1,30 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1
+
+mQINBFNgFa8BEADTL/REB10M+TfiZOtFHqL5LHKkzTMn/O2r5iIqXGhi6iwZazFs
+9S5g1eU7WMen5Xp9AREs+OvaHx91onPZ7ZiP7VpZ6ZdwWrnVk1Y/HfI59tWxmNYW
+DmKYBGMj4EUpFPSE9EnFj7dm1WdlCvpognCwZQl9D3BseGqN7OLHfwqqmOlbYN9h
+HYkT+CaqOoWDIGMB3UkBlMr0GuujEP8N1gxg7EOcSCsZH5aKtXubdUlVSphfAAwD
+z4MviB39J22sPBnKmaOT3TUTO5vGeKtC9BAvtgA82jY2TtCEjetnfK/qtzj/6j2N
+xVUbHQydwNQVRU92A7334YvCbn3xUUNI0WOscdmfpgCU0Z9Gb2IqDb9cMjgUi8F6
+MG/QY9/CZjX62XrHRPm3aXsCJOVh/PO1sl2A/rvv8AkpJKYyhm6T8OBFptCsA3V4
+Oic7ZyYhqV0u2r4NON+1MoUeuuoeY2tIrbRxe3ffVOxPzrESzSbc8LC2tYaP+wGd
+W0f57/CoDkUzlvpReCUI1Bv5zP4/jhC63Rh6lffvSf2tQLwOsf5ivPhUtwUfOQjg
+v9P8Wc8K7XZpSOMnDZuDe9wuvB/DiH/P5yiTs2RGsbDdRh5iPfwbtf2+IX6h2lNZ
+XiDKt9Gc26uzeJRx/c7+sLunxq6DLIYvrsEipVI9frHIHV6fFTmqMJY6SwARAQAB
+tEdBenVsIFN5c3RlbXMsIEluYy4gKFBhY2thZ2Ugc2lnbmluZyBrZXkuKSA8cGtp
+LXNpZ25pbmdAYXp1bHN5c3RlbXMuY29tPokCOAQTAQIAIgUCU2AVrwIbAwYLCQgH
+AwIGFQgCCQoLBBYCAwECHgECF4AACgkQsZmDYSGb2cnJ8xAAz1V1PJnfOyaRIP2N
+Ho2uRwGdPsA4eFMXb4Z08eGjDMD3b9WW3D0XnCLbJpaZ6klz0W0s2tcYSneTBaSs
+RAqxgJgBZ5ZMXtrrHld/5qFoBbStLZLefmcPhnfvamwHDCTLUex8NIAI1u3e9Rhb
+5fbH+gpuYpwHX7hz0FOfpn1sxR03UyxU+ey4AdKe9LG3TJVnB0WcgxpobpbqweLH
+yzcEQCNoFV3r1rlE13Y0aE31/9apoEwiYvqAzEmE38TukDLl/Qg8rkR1t0/lok2P
+G6pWqdN7pmoUovBTvDi5YOthcjZcdOTXXn2Yw4RZVF9uhRsVfku1Eg25SnOje3uY
+smtQLME4eESbePdjyV/okCIle66uHZse+7gNyNmWpf01hM+VmAySIAyKa0Ku8AXZ
+MydEcJTebrNfW9uMLsBx3Ts7z/CBfRng6F8louJGlZtlSwddTkZVcb26T20xeo0a
+ZvdFXM2djTi/a5nbBoZQL85AEeV7HaphFLdPrgmMtS8sSZUEVvdaxp7WJsVuF9cO
+Nxsvx40OYTvfco0W41Lm8/sEuQ7YueEVpZxiv5kX56GTU9vXaOOi+8Z7Ee2w6Adz
+4hrGZkzztggs4tM9geNYnd0XCdZ/ICAskKJABg7biDD1PhEBrqCIqSE3U497vibQ
+Mpkkl/Zpp0BirhGWNyTg8K4JrsQ=
+=d320
+-----END PGP PUBLIC KEY BLOCK-----

containerfiles/sendtierbeacon.sh

@@ -0,0 +1,30 @@
+#!/usr/bin/bash
+LOGHOST="collector.testbed.tier.internet2.edu"
+LOGPORT="5001"
+if [ -s /opt/tier/env.bash ]; then
+  . /opt/tier/env.bash
+fi
+
+#below for syslog, F-TICKS style
+#LOGTEXT="TIERBEACON/TIER/1.0#IM=$IMAGENAME#PV=$VERSION#TR=$TIERVERSION#MT=$MAINTAINER#"
+
+#below for JSON/REST style
+LOGTEXT="{ \"msgType\" : \"TIERBEACON\", \"msgName\" : \"TIER\", \"msgVersion\" : \"1.0\", \"tbProduct\" : \"$IMAGENAME\", \"tbProductVersion\" : \"$VERSION\", \"tbTIERRelease\" : \"$TIERVERSION\", \"tbMaintainer\" : \"$MAINTAINER\" }"
+
+
+if [ -z "$TIER_BEACON_OPT_OUT" ]; then
+  #send JSON
+  echo $LOGTEXT > msgjson.txt
+  curl -s -XPOST "${LOGHOST}:${LOGPORT}/" -H 'Content-Type: application/json' -T msgjson.txt 1>/dev/null
+  if [ $? -eq 0 ]; then
+        echo "tier_beacon;none;$ENV;$USERTOKEN;"`date`"; TIER beacon sent"
+  else
+        echo "tier_beacon;none;$ENV;$USERTOKEN;"`date`"; Failed to send TIER beacon"
+  fi
+
+  rm -f msgjson.txt
+
+  #below is for syslog, F-TICKS style
+  #`logger -n $LOGHOST -P $LOGPORT -t TIERBEACON $LOGTEXT`
+
+fi

containerfiles/setupcron.sh

@@ -0,0 +1,15 @@
+#!/usr/bin/bash
+
+CRONFILE=/opt/tier/tier-CRONFILE
+if [ ! -f /opt/tier/env.bash ]; then
+    printenv | sed 's/^\(.*\)$/\1/g' | grep -E "^VERSION" > /opt/tier/env.bash
+    printenv | sed 's/^\(.*\)$/\1/g' | grep -E "^TIERVERSION" >> /opt/tier/env.bash
+    printenv | sed 's/^\(.*\)$/\1/g' | grep -E "^IMAGE" >> /opt/tier/env.bash
+    printenv | sed 's/^\(.*\)$/\1/g' | grep -E "^MAINTAINER" >> /opt/tier/env.bash
+fi
+
+echo $(expr $RANDOM % 59) $(expr $RANDOM % 3) "* * * /usr/bin/sendtierbeacon.sh >> /proc/1/fd/1 2>&1" >> ${CRONFILE}
+chmod 644 ${CRONFILE}
+
+#install crontab
+crontab ${CRONFILE}

containerfiles/supervisord.conf

@@ -0,0 +1,29 @@
+[supervisord]
+logfile=/proc/1/fd/1
+logfile_maxbytes=0
+loglevel=error
+nodaemon=true
+user=root
+
+[program:cron]
+command=/usr/sbin/crond -n
+autostart=true
+autorestart=true
+stdout_logfile=/proc/1/fd/1
+stdout_logfile_maxbytes=0
+stderr_logfile=/proc/1/fd/1
+stderr_logfile_maxbytes=0
+directory=/usr/bin
+
+[program:shibui]
+command=/usr/bin/java -jar /opt/shibui/shibui.jar
+directory=/opt/shibui
+autostart=true
+autorestart=true
+stdout_logfile=/proc/1/fd/1
+stdout_logfile_maxbytes=0
+stderr_logfile=/proc/1/fd/1
+stderr_logfile_maxbytes=0
+
+[include]
+files=/etc/supervisor/conf.d/*

test-compose/README.md

@@ -0,0 +1,3 @@
+This a sample Docker compose environment that will start the Shibboleth UI, Shibboleth IdP, LDAP server, and RDBMS.
+While this is useful for testing, it is recommended not to use this in a production environment; review the files,
+take inspiration, and configure a custom environment.

test-compose/docker-compose.yml

@@ -0,0 +1,43 @@
+version: "3.7"
+
+services:
+  ldap:
+    build: ./ldap
+    volumes:
+    - type: tmpfs
+      target: /var/lib/dirsrv
+  db:
+    image: mariadb
+    environment:
+      MYSQL_USER: shibui
+      MYSQL_PASSWORD: secret
+      MYSQL_DATABASE: shibui
+      MYSQL_RANDOM_ROOT_PASSWORD: "yes"
+    volumes:
+    - mariadb-data:/var/lib/mysql
+  shibui:
+    image: tier/shib-idp-ui:1.4.0
+    depends_on:
+    - db
+    ports:
+    - 8080:8080
+    volumes:
+    - generated-metadata:/generated-metadata
+    - generated-conf:/generated-conf
+    - ./shibui/conf/application.yml:/opt/shibui/application.yml
+    - ./shibui/idp-home:/idp-home
+  idp:
+    build: ./idp
+    depends_on:
+    - ldap
+    - shibui
+    ports:
+    - "443:443"
+    volumes:
+    - generated-metadata:/opt/shibboleth-idp/metadata/generated
+    - generated-conf:/opt/shibboleth-idp/conf/generated
+
+volumes:
+  generated-conf:
+  generated-metadata:
+  mariadb-data:

test-compose/idp/Dockerfile

@@ -0,0 +1,7 @@
+FROM tier/shib-idp:3.4.0_181002
+
+COPY container-files/conf/* /opt/shibboleth-idp/conf/
+COPY container-files/credentials/* /opt/shibboleth-idp/credentials/
+COPY container-files/metadata/* /opt/shibboleth-idp/metadata
+COPY container-files/tomcat-conf/server.xml /usr/local/tomcat/conf/test.xml
+COPY container-files/tomcat-conf/idp-browser.p12 /opt/certs

test-compose/idp/container-files/conf/attribute-filter.xml

@@ -0,0 +1,121 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!-- 
+    This file is an EXAMPLE policy file.  While the policy presented in this 
+    example file is illustrative of some simple cases, it relies on the names of
+    non-existent example services and the example attributes demonstrated in the
+    default attribute-resolver.xml file.
+    
+    Deployers should refer to the documentation for a complete list of components
+    and their options.
+-->
+<AttributeFilterPolicyGroup id="ShibbolethFilterPolicy"
+        xmlns="urn:mace:shibboleth:2.0:afp"
+        xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"
+        xsi:schemaLocation="urn:mace:shibboleth:2.0:afp http://shibboleth.net/schema/idp/shibboleth-afp.xsd">
+
+    <!-- Release some attributes to an SP. -->
+    <AttributeFilterPolicy id="example1">
+        <PolicyRequirementRule xsi:type="Requester" value="https://sp.example.org" />
+
+        <AttributeRule attributeID="eduPersonPrincipalName">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+
+        <AttributeRule attributeID="uid">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+
+        <AttributeRule attributeID="mail">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+    </AttributeFilterPolicy>
+
+    <!-- Release eduPersonAffiliation to two specific SPs. -->
+    <AttributeFilterPolicy id="example2">
+        <PolicyRequirementRule xsi:type="OR">
+            <Rule xsi:type="Requester" value="https://sp.example.org" />
+            <Rule xsi:type="Requester" value="https://another.example.org/shibboleth" />
+        </PolicyRequirementRule>
+
+        <AttributeRule attributeID="eduPersonScopedAffiliation">
+            <PermitValueRule xsi:type="ANY" />
+        </AttributeRule>
+    </AttributeFilterPolicy>
+
+    <AttributeFilterPolicy id="Per-Attribute-singleValued">
+        <PolicyRequirementRule xsi:type="ANY"/>
+
+        <AttributeRule attributeID="eduPersonPrincipalName">
+            <PermitValueRule xsi:type="EntityAttributeExactMatch"
+                             attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
+                             attributeValue="eduPersonPrincipalName" />
+        </AttributeRule>
+
+        <AttributeRule attributeID="uid">
+            <PermitValueRule xsi:type="EntityAttributeExactMatch"
+                             attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
+                             attributeValue="uid" />
+        </AttributeRule>
+
+        <AttributeRule attributeID="mail">
+            <PermitValueRule xsi:type="EntityAttributeExactMatch"
+                             attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
+                             attributeValue="mail" />
+        </AttributeRule>
+
+        <AttributeRule attributeID="surname">
+            <PermitValueRule xsi:type="EntityAttributeExactMatch"
+                             attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
+                             attributeValue="surname" />
+        </AttributeRule>
+
+        <AttributeRule attributeID="givenName">
+            <PermitValueRule xsi:type="EntityAttributeExactMatch"
+                             attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
+                             attributeValue="givenName" />
+        </AttributeRule>
+
+        <AttributeRule attributeID="eduPersonAffiliation">
+            <PermitValueRule xsi:type="EntityAttributeExactMatch"
+                             attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
+                             attributeValue="eduPersonAffiliation" />
+        </AttributeRule>
+
+        <AttributeRule attributeID="eduPersonScopedAffiliation">
+            <PermitValueRule xsi:type="EntityAttributeExactMatch"
+                             attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
+                             attributeValue="eduPersonScopedAffiliation" />
+        </AttributeRule>
+
+        <AttributeRule attributeID="eduPersonPrimaryAffiliation">
+            <PermitValueRule xsi:type="EntityAttributeExactMatch"
+                             attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
+                             attributeValue="eduPersonPrimaryAffiliation" />
+        </AttributeRule>
+
+        <AttributeRule attributeID="eduPersonEntitlement">
+            <PermitValueRule xsi:type="EntityAttributeExactMatch"
+                             attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
+                             attributeValue="eduPersonEntitlement" />
+        </AttributeRule>
+
+        <AttributeRule attributeID="eduPersonAssurance">
+            <PermitValueRule xsi:type="EntityAttributeExactMatch"
+                             attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
+                             attributeValue="eduPersonAssurance" />
+        </AttributeRule>
+
+        <AttributeRule attributeID="eduPersonUniqueId">
+            <PermitValueRule xsi:type="EntityAttributeExactMatch"
+                             attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
+                             attributeValue="eduPersonUniqueId" />
+        </AttributeRule>
+
+        <AttributeRule attributeID="employeeNumber">
+            <PermitValueRule xsi:type="EntityAttributeExactMatch"
+                             attributeName="http://shibboleth.net/ns/attributes/releaseAllValues"
+                             attributeValue="employeeNumber" />
+        </AttributeRule>
+    </AttributeFilterPolicy>
+
+</AttributeFilterPolicyGroup>